tbduong / aide Goto Github PK

You have made it possible to look up alternative fields on the caregiver model and any associated models (e.g. the associated user):

• https://aide-initiative.herokuapp.com/caregivers?utf8=%E2%9C%93&q%5Bfile_cont%5D=69cb564b-2bc1-425c-99bd-1b14c44112fb&commit=Search
  • All caregivers with "69cb564b-2bc1-425c-99bd-1b14c44112fb" in their file name.
• https://aide-initiative.herokuapp.com/caregivers?utf8=%E2%9C%93&q%5Buser_first_name_start%5D=n&commit=Search
  • all caregivers with a user.first_name that starts with "n" (!!!)

This is a HUGE security hole.

The following endpoints are missing authorization logic:

• caregivers#update
• caregivers#send_email
• users#update
• patients#update

Hi all,

In addition to the comments made in the pull request for code-review I wanted to make some general observations:

Overall I felt that the project went well. The group seemed to work well and accomplish the majority of the goals that were set out for y'all. I found the workflow to be efficient and effective and that really showed during the presentation.

A few notes:

-Certainly work on the indentation of the template pages. There are instances where it becomes difficult to read because of inconsistent indentation.
-Take a look at many places where there are double quotes in place of single quotes. If you are not using string interpolation go with single quotes as that is the 'Rails Way'
-Take care to look at the previous three issues that Nathan has pointed out for security issues. These are extremely important especially dealing with the sensitive nature of the patients for this project.