Comments (5)
@lukaskorte cah this be closed??
from geli.
A similar problem occurs when the auth token expires and I try to access pages. If we get a 401 - Unauthorized
we should show the homescreen in "logged out"-mode.
from geli.
@lukaskorte is this still a thing?
from geli.
Issues mentioned in the previous comments seem to be fixed already:
- The initial
window.localStorage["currentUserRole"] = "admin";
issue does not exist anymore. I.e. the string "currentUserRole" can not even be found in the current codebase. - Trying to use an invalid token sends one back to the login page.
It is still possible to locally promote oneself to admin / teacher by other means.
(And that cannot really be prevented, of course, especially since this an open source project and anyone can easily build a modified client.)
But no information is leaked to the dashboard, since #594 is fixed by now (i.e. hidden courses stay hidden, as do access keys and so on).
The following tested attacks fail as they should:
- Trying to edit a course (i.e. trying to change general information, content, media, members or teachers).
- Trying to access a course one normally can't access (i.e. a hidden course or a non-free course the user isn't enrolled in).
However, an attacker can still view the course edit pages for any normally visible course.
This means access to /api/courses/:id
GetCourse, which then leaks information.
I.e. this reveals a missed sub-issue of #594.
And, just like the original #594 /api/courses/
GetCourses leak, one does not even need to promote oneself to admin or teacher to obtain the leaked data.
from geli.
This issue may now be closed, since the newfound GetCourse
leak got its own issue #653 and the originally mentioned problems are apparently gone.
from geli.
Related Issues (20)
- Jump To Top Button HOT 2
- Bug: Styling in pdf HOT 1
- List/Grid View Component
- Sticky Header Course-View HOT 1
- 🐛 BUG: ProgressController vulnerabilities
- 🐛 BUG: UnitController vulnerabilities
- 🐛 BUG: WhitelistController vulnerabilities
- 🐛 BUG: MediaController vulnerabilities
- Bug: add svg as course image
- Bug: video upload, not all files visibile
- Layout: tasks - long answers are not wrapped
- Feedback wrong answers in tasks
- Update contributors list
- Correct CHANGELOG.md
- Bug: notification bell messages move out of screen while scrolling down the page
- How to test the Demo site?
- Know when user finish a course
- Is this repo still active? HOT 1
- default admin account? HOT 1
- Build for production
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from geli.