Volunteers-for-Salesforce icon indicating copy to clipboard operation
Volunteers-for-Salesforce copied to clipboard

Published 20 hours ago verified publisher icon SalesforceFoundation

Email security check for PersonalSites does not operate on cached value

Open jonnypetraglia opened this issue 7 years ago • 3 comments

Introduced in Issue #169 was the ability to require an email in the URL for PersonalSites in addition to the ContactID.

Which is all well and good except that it only checks for the email in the URL, not in the cookie. VOL_SharedCode.isValidContactIdAndEmail() is only called for URL params, not if a cookie already exists.

See: https://github.com/SalesforceFoundation/Volunteers-for-Salesforce/blob/cbd88d1754a101556fd1ccf0b323b8d1798a5435/src/classes/VOL_CTRL_PersonalSiteContactInfo.cls#L56-L75

I know it's not as straightforward and I'm aware that this is not meant to be the most hardcore of security features, but the fact that anyone could drop in a cookie and have read/write access to the public page seems like it defeats the purpose of the email check, with the only difference being changing a cookie instead of a URL param.

jonnypetraglia avatar Mar 28 '17 22:03 jonnypetraglia

good catch. we should change the cookie to contain both id and email maybe.

davidhabib avatar Mar 28 '17 23:03 davidhabib

**lurch: add

davidhabib avatar Mar 28 '17 23:03 davidhabib

Tracking W-018209

LurchTheButler avatar Mar 28 '17 23:03 LurchTheButler