New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More "@login_required" in view.py? #1346
Comments
At this point much of our security is handled at the API level. Many views do not require the user to be logged in because there are public data sets that should be viewable by anyone. |
That's reasonable. @hackdna, I think you had reservations, but ok to close? For reference:
|
I think we should have an audit of all the views. It is very likely that for some of them unauthenticated access doesn't make sense and it might even open security holes. |
I meant to add that if there are any specific views that you believe should have a @login_required decorator, we should discuss them. |
(no longer a question, just tech debt.) |
Not sure if this relates specifically to Although I can't see the files to which I don't have access, I shouldn't be able to see the related facets either. |
Ideally, all views should be private by default. Public views would be enabled explicitly (a whitelist). |
Checked rendered views, so we are set here. Some views are utilizing the login_require in the URL, which is why they didn't show up in the search (import view for ex) |
It seems like many of our views could expose information. Besides simply being able to login, are there other things un-logged-in users need to be able to access? Or is security handled at the API level?
The text was updated successfully, but these errors were encountered: