Manthan icon indicating copy to clipboard operation
Manthan copied to clipboard

Published 20 hours ago verified publisher icon Manthan933

Secure the api endpoints

Open atulya2109 opened this issue 3 years ago • 4 comments

Describe the bug This is an umbrella issue for all the issues that could be related to securing endpoints. For example, when creating a test the class id is passed in the POST Request but it isn't verified on the back end whether the user is the admin of the class or not. Therefore, anyone can create tests in any class. Similarly, in delete test endpoint as well it should be checked whether the user has delete privileges or not.

To Reproduce Steps to reproduce the behavior:

  1. Open the network tab on chrome or firefox before creating a test to log the POST request sent to the server.
  2. Import this request in Postman.
  3. Change the class field in the body of the request.
  4. Returns a 200 Status Code and creates entry in database.

Expected behavior Test creation should fail instead of creating it in another class.

Desktop (please complete the following information):

  • OS: Any
  • Browser: Any
  • Version: Any

Additional context There are many other security issues in other end points as well.

atulya2109 avatar Apr 03 '21 16:04 atulya2109

Yes, we should create middlewares to check whether the user is created of that class

VenomFate-619 avatar Apr 04 '21 03:04 VenomFate-619

@atulya2109 are you willing to work on this issue?

aavishkarmishra avatar Apr 04 '21 10:04 aavishkarmishra

@aavishkarmishra Yeah, sure.

atulya2109 avatar Apr 04 '21 10:04 atulya2109

@aavishkarmishra The pull request was merged but my points weren't updated. Please look into it

atulya2109 avatar Apr 08 '21 07:04 atulya2109