shareabouts-api icon indicating copy to clipboard operation
shareabouts-api copied to clipboard

Published 20 hours ago verified publisher icon openplans

Should not be able to get visible submissions on invisible places via the API

Open fkh opened this issue 10 years ago • 1 comments

fkh avatar Jan 14 '15 19:01 fkh

I've just confirmed this issue by:

  • creating a place with a comment submission
  • confirming I can anonymously access the place via the API eg. /api/places/414720/
  • confirming I can anonymously access the comments via the API eg. /api/places/414720/comments
  • marking the place as 'visible = False`
  • confirming I cannot access the place via the API
  • confirming I can still access the comments via the API

Presumably this would apply to any of the URLs with ?P<place_id>\d+ in their URLs except for PlaceListView:

  • AttachmentListView
  • SubmissionInstanceView
  • SubmissionListView

BenSturmfels avatar Sep 08 '21 04:09 BenSturmfels