Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Add additional security check to PersonalSites #169
Currently PersonalSites uses a passed in ContactId on the URL to specify which contact's volunteer information to display. One users has requested a stronger mechanism to avoid someone passing in a different valid ContactId to the page. My proposed solution it add a custom setting to specify that an additional URL parameter will be required, which will be called Email. a valid email address for the contact must be passed in this URL parameter, and the passed in email must match one of the email addresses stored on the contact record, or the page will detect the error, and just redirect to the PersonalSiteContactLookup page, as it currently does when given an invalid contactId.