What steps will reproduce the problem?
1. Visit http://blog.victorz.ca/programming/384/blitz-hacks to obtain hax
2. Run the 1st hack (moves anywhere)
3. Run the second hack in the game history (allows one to delete HIS OWN
finished games, not that of others)
What is the expected output? What do you see instead?
I would expect a forbidden error, but it works as advertised.
What version of the product are you using? On what operating system?
The latest version at http://blitz.appspot.com/
Please provide any additional information below.
To fix:
1. Disallow deletion of games after 2 moves, or if it has ended.
2. Check the chess move at the server to ensure that it is valid. This will
require you to keep the state at the server.
3. Check for checkmates at the server, as the client can flag any move as a
checkmate, instantly winning the game
Original issue reported on code.google.com by theonlypwner on 4 May 2012 at 6:56
Original issue reported on code.google.com by
theonlypwneron 4 May 2012 at 6:56