bookish icon indicating copy to clipboard operation
bookish copied to clipboard

Published 20 hours ago verified publisher icon amyjko

Imprecise chapter editing permissions

Open amyjko opened this issue 1 year ago • 0 comments

Expected behavior

When an author is given permissions to edit a chapter, they should only be able to edit that chapter.

Actual behavior

The front end verifies the condition above, but if a malicious author were to send a request from their client to edit a different chapter, it would be permitted, since the Firestore rule only checks if they have access to edit any chapter. This is not super consequential, but it is wrong.

amyjko avatar Feb 20 '24 02:02 amyjko