Adding a tag doesn't seem to require API key authorization #747
Comments
|
Why? adding tags is not destructive |
|
Agree that it's not directly destructive, but it could still have a significant impact if a tag is changed incorrectly. As an example, the tag may be used in pipelines to deploy the latest version of a code. Not big issue for me, but I was surprised that it worked w/o API key. |
|
Also your assumption that you need a token to upload is wrong https://github.com/docat-org/docat/blob/main/docat/docat/app.py#L227 only the destructive action of overriding a existing version requires the token this was a deliberate decision to make the usage as simple as possible but less secure im closing this for now, maybe this is something that could be configurable - but its more code and complexity |
|
Thanks for the clarification. |
I found that I can add a tag without providing an API key or with wrong API key.
In my view tagging should also be protected with the API key like upload or delete actions.
The text was updated successfully, but these errors were encountered: