Check rights of Invite creator #182

joepio · 2021-10-03T18:27:46Z

We recently introduced Invites #134

However, the current implementation makes it possible for users to grant themselves rights to edit things that aren't theirs. To prevent this, we need to perform these checks:

Check the rights of the Inviter on creating the invite (commit)
Check the rights of the Inviter on redirecting the Invitee
Make a test framework for improved flexibility in authorization tests #233
Set expiration date for invites

I think we need to check this twice, because after an invite has been created, the rights of the creator could have changed.

joepio added the security label Oct 3, 2021

joepio mentioned this issue Oct 3, 2021

Invites #134

Closed

7 tasks

joepio changed the title ~~Limit Inivtes~~ Check rights of Invite creator Oct 3, 2021

joepio added this to the v0.27 milestone Oct 3, 2021

joepio modified the milestones: v0.27, v0.28 Oct 25, 2021

joepio added a commit that referenced this issue Dec 11, 2021

#182 Add Expires At

a42098b

joepio added a commit that referenced this issue Dec 11, 2021

#182 strictrer authorization checks invites

197a87e

joepio mentioned this issue Dec 11, 2021

#182 invite checks #234

Merged

joepio added a commit that referenced this issue Dec 11, 2021

#182 Add Expires At

5417b2b

joepio added a commit that referenced this issue Dec 11, 2021

#182 strictrer authorization checks invites

d889a1a

joepio closed this as completed Dec 11, 2021

joepio mentioned this issue Apr 4, 2022

Modifying classes in Commits - possible attack vector for circumventing custom Class constraints / checks #371

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Check rights of Invite creator #182

Check rights of Invite creator #182

joepio commented Oct 3, 2021 •

edited

Loading

Check rights of Invite creator #182

Check rights of Invite creator #182

Comments

joepio commented Oct 3, 2021 • edited Loading

joepio commented Oct 3, 2021 •

edited

Loading