User authentication for doc editing and creation on public layer. #864
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…privilage can only editing created by themselves and editing other peoples document will still going through the submissiondb flow
|
As I recall, there were some security issues in the design of the code in this pull request. It should not be merged as is. |
|
@ahayes It looks to me like the security issue is checking the owner information on the submitted doc rather then the current doc. Does that look right to you? Would switching to getting owner info from current doc make this PR acceptable? |
|
This will get revisited as part of issue #1085. |
ahayes
added
Wontfix
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Now if a doc is on the public layer or layers start with "public_", anybody can create this doc without going through submission db, but people without admin privilege can only edit docs created by themselves. Editing other peoples document will still going through the submission_db flow.
I realize there may be some security concern, therefore, this pull request is just an experiment and we will discuss this issue with DEV team, before merging and solving this issue.