Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission issue #21

Closed
lxylxy123456 opened this issue Feb 25, 2020 · 2 comments
Closed

Permission issue #21

lxylxy123456 opened this issue Feb 25, 2020 · 2 comments
Assignees
@rkevin-arch
Labels
wontfix This will not be worked on

Comments

@lxylxy123456
Copy link
Contributor

This problem happens after #18
Consider the API /api/assignments/<course_id>.
If we have one class ECS123, and a student not taking this class
Then for this user, /api/assignments/ECS123 returns "permission denied", and /api/assignments/ECS124 returns "course not found"

So any user who can access the service can list all courses using brute force.
Is this a problem?
@Lawrence37
Copy link
Contributor

In the nbgrader exchange directory, everyone has read access to the courses and even the assignments.

@lxylxy123456
Copy link
Contributor Author

I see. So I will say that either the exchange folder design is not very secure or I am overthinking. I usually think about this when making a website backend. Maybe we can let Kevin comment on this after he joins this repo.

@lxylxy123456 lxylxy123456 added the wontfix This will not be worked on label Feb 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rkevin-arch rkevin-arch

Labels
wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rkevin-arch @lxylxy123456 @Lawrence37