Comments (4)
karger
commented on August 11, 2024
This points to a broader problem. Any actions that modify data should
be access controlled and done only when identity is verified and access
granted. I assumed that the nodejs infrastructure would handle this
for us; what have we done that enabled unauthenticated access to change
state?
…On 1/4/2021 3:40 PM, Jumana Almahmoud wrote:
to reproduce error:
* clear cookies but remain on the main dashboard.
* create a class after your cookies were cleared.
* the class will be added to the DB with "null" as the "creator" value.
* class will not be loaded to the UI.
this is a problem also for people who leave their tabs open but have
their session cleared, we shouldn't allow requests without any
authentication which is also a problem with other parts in the system
that needs to be handled.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#64>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAIWSXXYEVWXG67BRUAQRSDSYIRUBANCNFSM4VTQ3T4A>.
from nb.
JumanaFM
commented on August 11, 2024
I agree. I noticed this bug when Marc pointed out he wasn't able to see one of his classes in his list. The original implementation of nb doesn't always check the current user (authenticated or not).
from nb.
karger
commented on August 11, 2024
On 1/4/2021 5:28 PM, Jumana Almahmoud wrote:
I agree. I noticed this bug when Marc pointed out he wasn't able to
see one of his classes in his list. The original implementation of nb
doesn't always check the current user (authenticated or not).
I would assume this checking would happen on all api calls by
default---how does it fail to happen?
…
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#64 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAIWSXQS2PTJ4EDTLKRFVV3SYI6JLANCNFSM4VTQ3T4A>.
from nb.
JumanaFM
commented on August 11, 2024
On 1/4/2021 5:28 PM, Jumana Almahmoud wrote: I agree. I noticed this bug when Marc pointed out he wasn't able to see one of his classes in his list. The original implementation of nb doesn't always check the current user (authenticated or not).
I would assume this checking would happen on all api calls by default---how does it fail to happen?
…
— You are receiving this because you commented. Reply to this email directly, view it on GitHub <#64 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIWSXQS2PTJ4EDTLKRFVV3SYI6JLANCNFSM4VTQ3T4A.
from what I have seen in the code, once the UI is loaded, it will send an api/user/current request to check if the user has a valid session, if not it will redirect to the log in page. So, as long as the page is loaded and a user was authenticated, all other requests (i believe so) assumes that a user have a valid session, which i think is not a good approach. We need to check before every action. No just for this issue but to mitigate any other anonymous requests (from postman for example and so on). I'm thinking of solving this by creating a middleware that intercepts all requests to check if they were valid.
from nb.
Related Issues (20)
- Send emails to users to showcase features on NB
- annotation side bar never loads HOT 3
- Code not working on ubuntu? HOT 9
- override libretext padding issue
- Use Toggle UI for focus instead of checkbox
- Expanding the envelope to show notifications is not consistent with the general UX
- Show the number of followers online
- Add header to online status bar HOT 1
- Comment section needs improvement HOT 2
- Add accessible filters HOT 1
- Improve instructor view to differentiate between public and anonymous comments HOT 1
- Add new user type (TA), allow them to escalate comments, allow instructors to resolve "reply requests" HOT 1
- Fix anonymization visibility
- PDF download should have a proper name with .pdf extension HOT 1
- Grading Deadline should default to assignment due date
- Add role-based access control system
- Highlight and Tag with Emojis
- Problem with sidebar and login (from within it). HOT 4
- Allow users to remove due date from assignments
- Surface instructor endorsements and/or Spotlights as part of the gradesheet
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nb.