Authenticate that User is Actually User #55
Labels
Milestone
Comments
Closed
Harmonickey
added
b[err] - Blocked(Internal Source)
and removed
a[2] - In Progress
labels
Saurutobi
added
a[3] - Ready for Review
b[err] - Blocked(Other Ticket)
and removed
b[err] - Blocked(Internal Source)
labels
Harmonickey
added
a[5] - Merging to Dev
a[6] - Ready for QA
and removed
a[4] - Code Review Passed
a[5] - Merging to Dev
labels
|
I'm handing this one to you for QA, not sure how to test this. |
Harmonickey
added
a[7] - QA Passed
a[9] - Released
and removed
a[6] - Ready for QA
a[7] - QA Passed
labels
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
(BRANCH): bmw/28
(DESCRIPTION): Right now the user logs in and the $_SESSION tenant/landlord and userId variables are set. The only way to get to our API is to have tenant or landlord session variable set. It does not require that userId is set. UserId is currently exposed on the frontend by echoing to a javascript variable. In the worst case, someone wouldn't need to know the username and password of someone, but just go to their computer and see the userId in the javascript source. They could then login as their own user and insert the userId of another user into the ajax request.
There needs to be an auth script that checks to make sure that the information (userId probably) matches with the session variable (tenant or landlord). It would return a truthy value which I could use to execute or not execute the api script. This would prevent deletion of listings and accounts.
What might be better is to use UserId in the php only and never expose in the javascript. I may be able to do this, I don't remember why I took it out in the first place.
(ACCEPTANCE CRITERIA):
(PARENT TICKET): #28
(DEPENDENT TICKETS):none
The text was updated successfully, but these errors were encountered: