Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unreleased Task Icons Are Accessible to All Users #226

Open
Olda-Hal opened this issue Nov 18, 2024 · 1 comment
Open

Unreleased Task Icons Are Accessible to All Users #226

Olda-Hal opened this issue Nov 18, 2024 · 1 comment

Comments

@Olda-Hal
Copy link
Contributor

Olda-Hal commented Nov 18, 2024

Icons of unreleased tasks are currently accessible to anyone, even without proper permissions. If a user visits the URL
https://rest.ksi.fi.muni.cz/taskContent/TASKID/icon/base.svg (where TASKID corresponds to an unreleased task), they can load and view the icon of that task, despite it not being released.
This behavior potentially exposes information about unreleased tasks to unauthorized users.

Steps to Reproduce

  1. Identify the TASKID of a task that has not yet been released.
  2. Access the following URL in a browser or through an HTTP client:
    https://rest.ksi.fi.muni.cz/taskContent/TASKID/icon/base.svg
  3. Observe that the icon for the unreleased task is successfully loaded and visible.

Expected Behavior

  • Icons for unreleased tasks should not be accessible to users without appropriate permissions.
  • Requests to access icons of unreleased tasks should return an error (e.g., HTTP 403 Forbidden) or redirect to a placeholder image.
@xhyrom
Copy link
Contributor

xhyrom commented Nov 18, 2024

I can work on this one. We'll have to add authorization header in front-end (mentioned in 5ccf799#diff-bc27b2bd3c64dda24b2b33746e259a6a2c9a3bba1e80b202375bc1897524c039R162)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants