search

ucsb-cs156-s21 / proj-ucsb-cs-las

https://proj-ucsb-cs-las.herokuapp.com/
MIT License
2 stars 3 forks source link

Enforce Admin/Instructor Upload of Tutor CSV Data #319

Open WadeVaresio opened 3 years ago

WadeVaresio commented 3 years ago

Bug Report

Currently there is no check on the endpoint "/api/member/tutors/upload" as to whether the user is allowed to upload tutors.

Steps to Reproduce

  1. Perform a CSV upload of Tutors by directly invoking the endpoint "/api/member/tutors/upload" with non admin/instructor level permission.
  2. Upload succeeds, whereas it should return an unauthorized request.

Expected / Desired Behavior

Endpoint should return an unauthorized request response.

Observed / Actual Behavior

Uploading CSV of Tutor data with incorrect permissions works.