85 complete item 1b of security improvement #121
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Role checked endpoints audited to determine who should have access to the resource, GET: required, DELETE: required (admin), POST: required (admin)
register POST: not required login POST: not required send_code POST: not required verify_code POST: not required reset_password POST: required
POST: required (admin)
GET: required (admin) PATCH: required (admin) DELETE: required (admin)
POST: required (admin) DELETE: required (admin)
editProfile POST: required getProfile POST: required
GET: required (admin)
class RoleRequest(Resource): GET: required (admin) POST: required (admin) PATCH: required (admin) DELETE: required (admin) class QualificationsRequest(Resource): GET: required (admin) POST: required (admin) PATCH: required (admin) DELETE: required (admin) class AssetTypeRequest(Resource): GET: required (admin) POST: required (admin) PATCH: required (admin) DELETE: required (admin)
GET: required (admin) DELETE: required (admin) PATCH: required (admin)
class TenancyConfig(Resource): GET: not required POST: required (admin) PATCH: required (admin) DELETE: required imageRequest GET: not required
GetQuestionRequest GET: required GetRandomQuestionRequest GET: required DeleteQuestion GET: required (admin) CreateQuestion GET: required (admin) UpdateQuestion GET: required (admin) CheckAnswer GET: required CheckSingleAnswer GET: required CheckMulitpleAns GET: required
GetUserInfoRequest GET: required GetAvailabilitiesRequest GET: required GetAllVolunteer GET: required (admin)
GET: required (admin) POST: required (admin) PATCH: required (admin)
GET: required PATCH: required (admin)
VehicleRequest GET: required (admin) POST: required (admin) DELETE: required (admin) GetInputA GET: required (admin) GetInputR GET: required (admin) GetInputP GET: required (admin) GetInputV GET: required (admin) GetInputQ GET: required (admin) GetVehicleRequest Currently used by developers
GET: required (admin)
GET: required (admin)
GET: required PATCH: required
GET: required PATCH: required
GET: required
GET: required PATCH: required
GET: required POST: required GET: required
editProfile POST: required getProfile POST: required
dietary_option GET: need to confirm if this API is being used before the user is registered POST: required dietary_requirement GET: required
GET: required DELETE: required (admin) POST: required (admin)
register POST: not required login POST: not required send_code POST: not required verify_code POST: not required reset_password POST: required
class TenancyConfig(Resource): GET: not required POST: required (admin) PATCH: required (admin) DELETE: required (admin) imageRequest GET: not required
1 task
emilymclean
reviewed
Oct 8, 2023
reset_password POST: not required
emilymclean
reviewed
Oct 10, 2023
| @@ -84,6 +85,7 @@ def post(self): | |||
| This is a class to retrieve the dietary requirement data from the database | |||
| """ | |||
| @requires_auth | |||
| @is_user_or_has_role('id', UserType.VOLUNTEER, UserType.ROOT_ADMIN) | |||
There was a problem hiding this comment.
Is this correct? The ID parameter should be the user ID. It looks like all these are just the ID of the thing
There was a problem hiding this comment.
Have you tested this with a volunteer user?
emilymclean
reviewed
Oct 10, 2023
| @@ -84,6 +85,7 @@ def post(self): | |||
| This is a class to retrieve the dietary requirement data from the database | |||
| """ | |||
| @requires_auth | |||
| @is_user_or_has_role('id', UserType.VOLUNTEER, UserType.ROOT_ADMIN) | |||
There was a problem hiding this comment.
Have you tested this with a volunteer user?
| @@ -79,6 +78,8 @@ def post(self): | |||
|
|
|||
|
|
|||
| class reset_password(Resource): | |||
|
|
|||
| @is_user_or_has_role('id', UserType.VOLUNTEER, UserType.ROOT_ADMIN) | |||
There was a problem hiding this comment.
This shouldn't be guarded
| @@ -29,14 +29,16 @@ | |||
|
|
|||
| class AssetTypeRole(Resource): | |||
| @requires_auth | |||
| @is_user_or_has_role('id', UserType.VOLUNTEER, UserType.ROOT_ADMIN) | |||
There was a problem hiding this comment.
This data isn't scoped to the user, and I don't see why we should even care about role for this GET?
| @@ -36,6 +36,7 @@ | |||
|
|
|||
| class EditProfile(Resource): | |||
| @requires_auth | |||
| @is_user_or_has_role('id', UserType.VOLUNTEER, UserType.ROOT_ADMIN) | |||
There was a problem hiding this comment.
Again, is this the right parameter?
| @@ -30,6 +30,7 @@ | |||
|
|
|||
| class GetQuestionRequest(Resource): | |||
| @requires_auth | |||
| @is_user_or_has_role('id', UserType.VOLUNTEER, UserType.ROOT_ADMIN) | |||
There was a problem hiding this comment.
Is this data scoped to the user, and is this the right parameter?
| @@ -18,6 +18,7 @@ | |||
|
|
|||
| class GetUserInfoRequest(Resource): | |||
| @requires_auth | |||
| @is_user_or_has_role('id', UserType.VOLUNTEER, UserType.ROOT_ADMIN) | |||
There was a problem hiding this comment.
Same with these, right parameter?
| @@ -26,12 +26,14 @@ | |||
|
|
|||
| class UserRole(Resource): | |||
| @requires_auth | |||
| @has_role(UserType.ROOT_ADMIN) | |||
There was a problem hiding this comment.
Is a volunteer supposed to be able to get/write to these parameters? If not, this is fine
|
This obviously wasn't tested even once because you would have realised the role check decorator doesn't work like that |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Describe your changes
Issue ticket number and link