Closed gnull closed 5 months ago
The current version of PR has a problem though: doing id INTEGER PRIMARY KEY,
makes the id
global among all the users. This way, a malicious user will be able to create datapoints from time to time and, by looking at the ids, know something about how many datapoints the other users have created. It's not a good way to do it since it breaks isolation between the users: we need to make sure that users can't interfere with each other at all (unless we add that explicitly).
Do you @thermobased have any ideas for how we can generate unique ids for datapoints and ensure that ids of one user are independent from the ids of others?
Ivan
Adding an id
field to datapoints
may help avoid issues like https://github.com/thermobased/flask-webapp/issues/9 in the future.
5409f1c00e02011ac8b75f40dd9dd34fe6c12ebc does exactly that
I think it's a good idea to have some identifier that we can use to refer to datapoints. For example, when deleting them we can just specify the
id
instead of(user,habit,occasion,comment)
tuple like it's done now:https://github.com/thermobased/flask-webapp/blob/bc938fa015090d7f46bfcf661d026edc26875b90/main.py#L190
Instead, we could do something like
DELETE FROM datapoints WHERE id = ?
.It can get useful again if we decide to allow changing datapoints, we can refer to them simply using the id, no need to pass 4 fields to refer to a datapoint.
Ivan