-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Search function exposes data leakage and a security issue #49
Comments
You are correct. This is a problem we should fix. The code should be similar to what I used in my JHipster 5 tutorial:
https://github.com/mraible/jhipster5-demo/blob/master/README.adoc#lock-it-down
… On Oct 26, 2018, at 09:26, ernsyn ***@***.***> wrote:
Hi Matt,
First of all, good work on 21-points. Been using your project to learn up on JHipster and it really helps.
Anyway, was going through the code and it occurred to me that even if I'm logged in as myself (john), and if I go to "Daily Points" and do a search with the following search parameter - o*, all points that match that parameter will appear. Not just mine. (See screenshot below)
I was even able to edit the fields of a Point entry that belongs to others and save successfully. (I reverted what I edited so as not to tamper with other user's data).
So there are 2 issues here -
Searching allows a user to search for all items that belongs to all users; not just himself/herself (Not sure how to fix this)
Once I was able to see other user's data, I was able to edit and save successfully. (Should be easily fixable)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
I looked through the link you shared. This fixes issue number 2. Any idea how issue number 1 can be fixed? |
You can use the below QueryBuilder to restrict based on the current username if not an admin (same as the
|
@ernsyn A PR would be great. I'm trying to crawl my way out of a mountain of email after being on the road for two weeks. |
@mraible no problem. I'll come up with a PR as soon as possible. |
Sorry for not doing the PR earlier @mraible. Was planning to do so this weekend. Thanks for closing this issue. |
No worries! I found the time and enjoyed the experience. 😊
… On Nov 1, 2018, at 18:26, ernsyn ***@***.***> wrote:
Sorry for not doing the PR earlier @mraible. Was planning to do so this weekend. Thanks for closing this issue.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Hi Matt,
First of all, good work on 21-points. Been using your project to learn up on JHipster and it really helps.
Anyway, was going through the code and it occurred to me that even if I'm logged in as myself (john), and if I go to "Daily Points" and do a search with the following search parameter - o*, all points that match that parameter will appear. Not just mine. (See screenshot below)
I was even able to edit the fields of a Point entry that belongs to others and save successfully. (I reverted what I edited so as not to tamper with other user's data).
So there are 2 issues here -
The text was updated successfully, but these errors were encountered: