microbin icon indicating copy to clipboard operation
microbin copied to clipboard
verified publisher icon szabodanika

Anyone can edit/delete pastes even though MICROBIN_PASSWORD is set and EDITABLE is false

Open fcpwiz opened this issue 1 year ago • 3 comments

Title says it all! Only people with the password can submit pastes, but anyone with the URL can edit and delete it without needing a password. What am I missing here?

fcpwiz avatar Jul 24 '24 18:07 fcpwiz

Facing the same issue

skyrocknroll avatar Oct 12 '24 14:10 skyrocknroll

I tested the public instance with a read-only code snippet which I set a password for. Although I see an edit button, if I don't enter a password, it does not save any changes. Same happened when I tried to remove the code snippet without a password. So it looked to me like it is working as intended?

That said, I tried hosting it myself and could edit, but not delete (does not accept password) - see another issue open for that. Wish I could see the config for the public test instance as it seemed to work OK.

If it helps, these are the relevant envs I finally found to work (some variable descriptions make little sense):

export MICROBIN_EDITABLE=true
export MICROBIN_READONLY=false
export MICROBIN_ENABLE_READONLY=true
export MICROBIN_NO_FILE_UPLOAD=false
export MICROBIN_UPLOADER_PASSWORD=ISetOneHere

Danie10 avatar Nov 01 '24 13:11 Danie10