roadmap icon indicating copy to clipboard operation
roadmap copied to clipboard
verified publisher icon DMPRoadmap

Remove access to unused (and dangerous) routes

Open nicolasfranck opened this issue 4 years ago • 2 comments

Please complete the following fields as applicable:

What version of the DMPRoadmap code are you running? (e.g. v2.2.0)

3.0.2

Expected behaviour:

Routes that are not in use should not be left open. Rails often creates too much routes, that leave security holes

Actual behaviour:

Steps to reproduce:

  • go to a plan
  • go to your javascript console, and try the following (please use a test database)
$.post(window.location.href,{ "_method" : "delete" })
  • the javascript leaves an error, but your plan, and all related data is gone.

The culprit is the use of resources..

Given the current PlanPolicy, any user with editor rights can do this: https://github.com/DMPRoadmap/roadmap/blob/master/app/policies/plan_policy.rb#L46

nicolasfranck avatar Apr 20 '21 07:04 nicolasfranck

agreed. This has been on our radar for some time now. Related to both #1571 and #2761

briri avatar Apr 20 '21 14:04 briri

@gjacob24 not sure if this (or any of the linked ones) would be an interesting issue to get to know the code better?

pherterich avatar Jun 23 '22 09:06 pherterich