Remove access to unused (and dangerous) routes
Please complete the following fields as applicable:
What version of the DMPRoadmap code are you running? (e.g. v2.2.0)
3.0.2
Expected behaviour:
Routes that are not in use should not be left open. Rails often creates too much routes, that leave security holes
Actual behaviour:
Steps to reproduce:
- go to a plan
- go to your javascript console, and try the following (please use a test database)
$.post(window.location.href,{ "_method" : "delete" })
- the javascript leaves an error, but your plan, and all related data is gone.
The culprit is the use of resources..
Given the current PlanPolicy, any user with editor rights can do this:
https://github.com/DMPRoadmap/roadmap/blob/master/app/policies/plan_policy.rb#L46
agreed. This has been on our radar for some time now. Related to both #1571 and #2761
@gjacob24 not sure if this (or any of the linked ones) would be an interesting issue to get to know the code better?