feedback updating should not use a guessable identifier

wagtail / guide

A website to teach Wagtail CMS to content editors, moderators and administrators.

https://guide.wagtail.org

BSD 3-Clause "New" or "Revised" License

32 stars 26 forks source link

feedback updating should not use a guessable identifier #314

Open disperate opened 1 year ago

disperate commented 1 year ago

After submitting a feedback on a page, it is possible to add a feedback_text.

This text is stored in the feedback model by making a POST request with the feedback pk as the identifier. This key is guessable and feedback from other users can potentially be manipulated.

Instead, a non-determinable identifier such as a uuid should be used.

thibaudcolas commented 1 year ago

Thanks for the report @disperate!