Broken Teachers change form

sio2project / oioioi

GNU General Public License v3.0

162 stars 72 forks source link

Broken Teachers change form #282

Closed twalen closed 11 months ago

twalen commented 11 months ago

Currently in the Change Teacher form:

there is no "is_active" field
the message field is not-used (also in the Add Teacher form)
the user name is replaced with user_id
it is possible to change user in the form

Expected behaviour:

it should be possible to change is_active field
the message field should be removed
on update, the user field should be readonly and the login name should be visible

A-dead-pixel commented 11 months ago

the user name is replaced with user_id

https://github.com/sio2project/oioioi/pull/257/commits/99478ec4b352befd5c227524729689e6dc3828ce from https://github.com/sio2project/oioioi/pull/257 should fix this.

twalen commented 11 months ago

the user name is replaced with user_id

99478ec from #257 should fix this.

I was also thinking about such solution, but I was not sure if this approach could lead to data leakage (like enumerating ids to get user logins).

twalen commented 11 months ago

the user name is replaced with user_id

99478ec from #257 should fix this.

I was also thinking about such solution, but I was not sure if this approach could lead to data leakage (like enumerating ids to get user logins).

I'm taking this back. Actually lookup based on int-type is not a security issue. For malicious POST the user field will be reported as "str".