New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add additional security check to PersonalSites #169

Closed
davidhabib opened this Issue Dec 28, 2015 · 3 comments

Comments

Projects
None yet
2 participants
@davidhabib
Contributor

davidhabib commented Dec 28, 2015

Currently PersonalSites uses a passed in ContactId on the URL to specify which contact's volunteer information to display. One users has requested a stronger mechanism to avoid someone passing in a different valid ContactId to the page. My proposed solution it add a custom setting to specify that an additional URL parameter will be required, which will be called Email. a valid email address for the contact must be passed in this URL parameter, and the passed in email must match one of the email addresses stored on the contact record, or the page will detect the error, and just redirect to the PersonalSiteContactLookup page, as it currently does when given an invalid contactId.

@sgjudd

This comment has been minimized.

sgjudd commented Dec 28, 2015

I like your proposed solution.

@davidhabib

This comment has been minimized.

Contributor

davidhabib commented Dec 29, 2015

Thanks Steven. good to get confirmation this solution sounds good.

@davidhabib

This comment has been minimized.

Contributor

davidhabib commented Dec 29, 2015

Added in 3.79

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment