🐛 BUG: Fix security issues about geli HOT 5 CLOSED

@lukaskorte cah this be closed??

from geli.

A similar problem occurs when the auth token expires and I try to access pages. If we get a 401 - Unauthorized we should show the homescreen in "logged out"-mode.

from geli.

@lukaskorte is this still a thing?

from geli.

Issues mentioned in the previous comments seem to be fixed already:

• The initial window.localStorage["currentUserRole"] = "admin"; issue does not exist anymore. I.e. the string "currentUserRole" can not even be found in the current codebase.
• Trying to use an invalid token sends one back to the login page.

It is still possible to locally promote oneself to admin / teacher by other means.
(And that cannot really be prevented, of course, especially since this an open source project and anyone can easily build a modified client.)
But no information is leaked to the dashboard, since #594 is fixed by now (i.e. hidden courses stay hidden, as do access keys and so on).

The following tested attacks fail as they should:

• Trying to edit a course (i.e. trying to change general information, content, media, members or teachers).
• Trying to access a course one normally can't access (i.e. a hidden course or a non-free course the user isn't enrolled in).

However, an attacker can still view the course edit pages for any normally visible course.
This means access to /api/courses/:id GetCourse, which then leaks information.
I.e. this reveals a missed sub-issue of #594.
And, just like the original #594 /api/courses/ GetCourses leak, one does not even need to promote oneself to admin or teacher to obtain the leaked data.

from geli.

This issue may now be closed, since the newfound GetCourse leak got its own issue #653 and the originally mentioned problems are apparently gone.

from geli.