search

tsdataclinic / scout

Scout is a data discovery tool to explore open data portals worldwide.
https://scout.tsdataclinic.com
Apache License 2.0
33 stars 12 forks source link

[BUG] When authenticated, any collection is accessible if you have the right collection id #289

Open jps327 opened 2 years ago

jps327 commented 2 years ago

Describe the bug If you're authenticated and have the collection id for another user's collection, you can still access that collection by entering the correct URL.

This violates an expectation of privacy that needs to be fixed. Collections should only be accessible via a URL when marked as Shareable. This will require needing to add some field in the db to mark a collection as shareable, and we'll need to add a UI element in a collection page to toggle whether or not a collection is shareable. But it's important that a Collection be inaccessible even with the correct URL in order to maintain privacy, and only when a user explicitly decides to share a collection should it be accessible via a URL.

To Reproduce Steps to reproduce the behavior:

  1. Run the app locally
  2. Login as user A
  3. Create a collection
  4. Copy the URL and log out
  5. Login as user B
  6. Paste the URL and user A's collection will load. This should not happen.

Expected behavior A page saying that you don't have permission to access this collection should be displayed.

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):