Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict access to non-public profiles #160

Merged
merged 3 commits into from
Oct 25, 2024
Merged

Restrict access to non-public profiles #160

merged 3 commits into from
Oct 25, 2024

Conversation

betsyecastro
Copy link
Contributor

@betsyecastro betsyecastro commented Aug 16, 2024
edited
Loading

This PR is to address the first vulnerability in the HackerOne report

  • Removes public parameter from the profiles search
  • The index endpoint returns only public profiles. In case that a requested profile is private, the search will return an empty array
  • Adds conditional to the profile view policy to allow access based on whether the profile is public or not when the context is API. An 403 Forbidden error will be returned by the show endpoint when a private profile is requested.

@betsyecastro betsyecastro requested a review from wunc August 16, 2024 13:34
@betsyecastro betsyecastro self-assigned this Aug 16, 2024
@betsyecastro betsyecastro changed the title 🔒️ Restrict access to non-public profiles via API Restrict access to non-public profiles via API Aug 16, 2024
@betsyecastro
Copy link
Contributor Author

To do:

  1. Fix url for API request to populate people picker to remove public parameter and any other request that uses the API index endpoint
  2. Modify API documentation

@betsyecastro betsyecastro changed the title Restrict access to non-public profiles via API Restrict access to non-public profiles Aug 20, 2024
betsyecastro and others added 2 commits August 20, 2024 15:21
@betsyecastro
🔒️ Restrict access to non-public profiles (frontend context)
425e7fc 
Non-public profiles can be viewed by site admin, profile owner, profiles editor, school profiles editor or department profiles editor.
@betsyecastro
Corrects wording
cd332e8
@wunc wunc merged commit 8a8f21d into develop Oct 25, 2024
1 of 2 checks passed
@wunc wunc deleted the resrict-access-to-non-public-profiles-via-api branch October 25, 2024 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wunc wunc wunc approved these changes

Assignees

@betsyecastro betsyecastro

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@betsyecastro @wunc