-
-
Notifications
You must be signed in to change notification settings - Fork 658
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhance Security by Verifying isSuperAdmin on the Server Side Instead of Using Local Storage #2233
Comments
Similar to PalisadoesFoundation/talawa-admin#1839 Can we not use state management to solve this instead of making an API call on every page? |
Do you want to use redux for that? yes, we can use but it is a big task in itself. superAdminCheck fn is used by almost every mutation, for the time being, what I suggest is to change the implementation of the same, so that we are not dependent on just the isSuperAdmin field.
|
I know it's a big task but we have too many flaws for the authentication, authorization so it should all be done together. |
We need to discuss with other contributors about this. Also, an auth library is necessary for session management, RBAC, security and other purposes. |
Yes and this is something more important |
|
Is your feature request related to a problem? Please describe.
I suggest modifying the
superAdminCheck
function to validate isSuperAdmin status directly from the server-side fetched profile using the user's ID, rather than relying on client-side stored values.Describe alternatives you've considered
Someone cannot access the data that the super admin is authorized to access, even if they modify the value of
isSuperAdmin
.Approach to be followed (optional)
A clear and concise description of approach to be followed.
Additional context
Add any other context or screenshots about the feature request here.
Potential internship candidates
Please read this if you are planning to apply for a Palisadoes Foundation internship PalisadoesFoundation/talawa#359
The text was updated successfully, but these errors were encountered: