You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
(DESCRIPTION): Right now the user logs in and the $_SESSION tenant/landlord and userId variables are set. The only way to get to our API is to have tenant or landlord session variable set. It does not require that userId is set. UserId is currently exposed on the frontend by echoing to a javascript variable. In the worst case, someone wouldn't need to know the username and password of someone, but just go to their computer and see the userId in the javascript source. They could then login as their own user and insert the userId of another user into the ajax request.
There needs to be an auth script that checks to make sure that the information (userId probably) matches with the session variable (tenant or landlord). It would return a truthy value which I could use to execute or not execute the api script. This would prevent deletion of listings and accounts.
What might be better is to use UserId in the php only and never expose in the javascript. I may be able to do this, I don't remember why I took it out in the first place.
(ACCEPTANCE CRITERIA):
No security leaks with api. No User can modify any other user's data.
Full login on all 'sites' that can be accessed(like tenant and such)
(BRANCH): bmw/28
(DESCRIPTION): Right now the user logs in and the $_SESSION tenant/landlord and userId variables are set. The only way to get to our API is to have tenant or landlord session variable set. It does not require that userId is set. UserId is currently exposed on the frontend by echoing to a javascript variable. In the worst case, someone wouldn't need to know the username and password of someone, but just go to their computer and see the userId in the javascript source. They could then login as their own user and insert the userId of another user into the ajax request.
There needs to be an auth script that checks to make sure that the information (userId probably) matches with the session variable (tenant or landlord). It would return a truthy value which I could use to execute or not execute the api script. This would prevent deletion of listings and accounts.
What might be better is to use UserId in the php only and never expose in the javascript. I may be able to do this, I don't remember why I took it out in the first place.
(ACCEPTANCE CRITERIA):
(PARENT TICKET): #28
(DEPENDENT TICKETS):none
The text was updated successfully, but these errors were encountered: