Closed suhlrich closed 9 months ago
It appears that you can POST a Result without being admin, backend, or the user. You can only GET the result if you have the aforementioned permissions. admin, backend, or the user should be the only ones who can either POST or GET.
https://github.com/stanfordnmbl/opencap-api/blob/3b8e1c202423de14913c85412a864f16c8356fa0/mcserver/views.py#L1027
To replicate: POST request of result with the token for user1 to a session owned by user2. It will still post, but it should be rejected. Python code:
import requests API_TOKEN = '<user1_token>' # token for user1 API_URL = 'https://dev.opencap.ai/' trial_id = 'd9fbccde-9b6b-44ed-80e3-43a66076579b' # trial owned by someone who is not user1 tag = 'ghost-result' device_id = 'ghost_device' media_url = 'random_url' # post link to and data to results data = { "trial": trial_id, "tag": tag, "device_id" : device_id, "media_url" : media_url } rResult = requests.post(API_URL + "results/", data=data, headers = {"Authorization": "Token {}".format(API_TOKEN)})
Fix - https://github.com/stanfordnmbl/opencap-api/pull/131
olehkorkh-planeks
commented
10 months ago
It appears that you can POST a Result without being admin, backend, or the user. You can only GET the result if you have the aforementioned permissions. admin, backend, or the user should be the only ones who can either POST or GET.
https://github.com/stanfordnmbl/opencap-api/blob/3b8e1c202423de14913c85412a864f16c8356fa0/mcserver/views.py#L1027
To replicate: POST request of result with the token for user1 to a session owned by user2. It will still post, but it should be rejected. Python code: