Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue when someone can just upload via rest api #7

Open
saarmornel opened this issue Nov 17, 2018 · 2 comments
Open

Security issue when someone can just upload via rest api #7

saarmornel opened this issue Nov 17, 2018 · 2 comments

Comments

@saarmornel
Copy link
Contributor

anyone can upload anything with fake id and there is no validation that there is video document with this id.
the same thing apply for Video microservice when anyone can create a document without uploading anything...
@saarmornel
Copy link
Contributor Author

saarmornel commented Nov 17, 2018
edited
Loading

I suggest to create a new pending document via Axios request from the uploader, and then to find a way to return the id in the beginning of the upload(maybe the event of the first response will be with the id)

Alternatively, we could just check in the biginning of the upload if there is a document as this via Axios.

@saarmornel
Copy link
Contributor Author

there is better solution: when Video MS fail to update the video because either user doesn't have permission or there is no id, then he send back message to uploader to delete the file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@saarmornel