zhughes3
commented
4 years ago This should all be done outside of the endpoint logic. Put these checks in the server middleware.
Open zhughes3 opened 4 years ago
zhughes3
commented
4 years ago This should all be done outside of the endpoint logic. Put these checks in the server middleware.
zhughes3
commented
4 years ago Added security checks for anonymous users. Still need to add security checks for signed in user trying to edit another signed in users prviate stuff.
Currently, if a timeline is private, an anonymous user will not be able to view the timeline group page.
However, savvy developers could instead try to add timelines or timeline events via curl. Lock down these endpoints so they are not editable at all if the timeline group is private.