search

project-callisto / callisto-core

Report intake, escrow, matching and secure delivery code for Callisto, an online reporting system for sexual assault.
https://www.projectcallisto.org
GNU Affero General Public License v3.0
137 stars 54 forks source link

Encrypt the answers instead of all the report data #236

Open coilysiren opened 7 years ago

coilysiren commented 7 years ago

Currently we create a dictionary of all the report data (eg. questions, choices, the choice picked, question answers, etc...), encrypt that with the secret key, and store it in report_data as json. The problem with this approach is that it copies question fields and IDs into the json data as strings. And, similarly to every other time an ID or field is denormalized, this approach is extremely vulnerable to error whenever the report questions are changed.

This system needs to be redesigned in such a way that questions are linked to the reports with foreign keys (perhaps with a new Answers model), but any identifying information about the answers (answer text, choice ids, etc) is encrypted at rest with the user's secret key.

coilysiren commented 7 years ago

Oh, actually, there's a fundamental problem here. Callisto🔒 currently stores questions and reports in two separate databases 😕

coilysiren commented 7 years ago

relevant s/o question https://stackoverflow.com/questions/6830564/how-to-use-django-models-with-foreign-keys-in-different-dbs