You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Problem
Right now any user with a valid auth token can retrieve any tag resource as long as they know the ID of the resource. We should return a 404 (Not found) error if someone tries to retrieve/update/delete a resource that does not have a matching account_id
Solution
In the show, update, and delete methods of the tag controller, let's add an authorize plug (middleware) to handle this.
Problem
Right now any user with a valid auth token can retrieve any
tag
resource as long as they know the ID of the resource. We should return a 404 (Not found) error if someone tries to retrieve/update/delete a resource that does not have a matchingaccount_id
Solution
In the
show
,update
, anddelete
methods of the tag controller, let's add anauthorize
plug (middleware) to handle this.Check out #639 for an example
Describe alternatives you've considered
We could also just include the
account_id
in the query when we fetch the resource 🤷Testing
Please add/update tests to take these updates into account!
Questions, or need help getting started?
Feel free to ask below, or ping us on Slack :)
(You can also check out our CONTRIBUTING.md)
The text was updated successfully, but these errors were encountered: