search

thegazelle-ad / gazelle-server

Server for front-end and editor tools of The Gazelle
MIT License
19 stars 8 forks source link

Database content can be changed without authorization #478

Closed Helw150 closed 6 years ago

Helw150 commented 6 years ago

Expected Behavior

Accessing the Admin API directly should be denied based on authorization.

Current Behavior

Admin API can be accessed directly using curl.

Possible Solution

Any Set/Put requests should somehow be checked using the auth token we get from Google Authentication.

Steps to Reproduce (for bugs)

  1. Run any of our admin page set requests via cURL.
  2. Go to the page you attempted to change and see that it indeed has changed.
emilgoldsmith commented 6 years ago

Duplicate of #422