Currently, if I goto a user's url, I think I can link / unlink all their repositories. You should only be able to do that to your own.
Places that we need to change:
frontend stuff in web/js/views/user -- hide when user is not self
backend stuff in app/handlers/repo -- don't allow any writes (create, update, delete) for any of the api calls if not against self. This is probably best implemented as middleware. Take a look at app/middleware/entity.js as an example.
taijinlee
commented
12 years ago
Currently, if I goto a user's url, I think I can link / unlink all their repositories. You should only be able to do that to your own.
Places that we need to change: frontend stuff in
web/js/views/user-- hide when user is not selfbackend stuff in
app/handlers/repo-- don't allow any writes (create, update, delete) for any of the api calls if not against self. This is probably best implemented as middleware. Take a look atapp/middleware/entity.jsas an example.