Open Xeltronix opened 4 years ago
I'll point out that there is no information leak here - any normal user is able to view the list of questions. Any sensitive data is still protected by the backend layer. If this is hard to do, it's not very high priority.
Probably redirecting to app/login (which will in turn redirect to the app/recruiter or app/apply) is the right way to go.
You are able to reach the admin directory(/app/admin) when you are not one. I cannot edit any of the questions or view roles and lists. Any normal user should get an HTTP 403 forbidden URL or just be redirected back to the app/apply.