You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This problem happens after #18
Consider the API /api/assignments/<course_id>.
If we have one class ECS123, and a student not taking this class
Then for this user, /api/assignments/ECS123 returns "permission denied", and /api/assignments/ECS124 returns "course not found"
So any user who can access the service can list all courses using brute force.
Is this a problem?
The text was updated successfully, but these errors were encountered:
I see. So I will say that either the exchange folder design is not very secure or I am overthinking. I usually think about this when making a website backend. Maybe we can let Kevin comment on this after he joins this repo.
This problem happens after #18
Consider the API
/api/assignments/<course_id>
.If we have one class
ECS123
, and a student not taking this classThen for this user,
/api/assignments/ECS123
returns "permission denied", and/api/assignments/ECS124
returns "course not found"So any user who can access the service can list all courses using brute force.
Is this a problem?
The text was updated successfully, but these errors were encountered: