blitzjs.com Security issues of tutorial

The tutorial seems to have security issues that anyone can

create and update any choices through createQuestion
update choices with any data through updateChoice

I think it should be added a security note or a new section about how to fix the issues.

Demo in browser console:

Sep 11 '20 16:09 yuta0801

Good catch! For the first issue, the solution is to add ctx.session!.authorize() at the top of every query and mutation. This is added by default in generated code, but I think there's a few places in the tutorial that needs this.

Sep 11 '20 18:09 flybayer

Can I take this one?

Sep 22 '20 11:09 liamjosephsilk

@liamjosephsilk yes!

Sep 24 '20 01:09 flybayer

For the first issue, the solution is to add "ctx.session!.authorize()" at the top of every query and mutation.

Yes, it's also an issue that anyone can post. however the tutorial didn't cover authentication, I think it doesn't matter. (of course, it would be very nice if it will be) I just wanted to mention that everyone can insert 5+ choices (we probably want to limit it to 4 or lower) and can update choices related to other questions (this is undesirable behavior)

Sep 24 '20 13:09 yuta0801

Could we make use of authentication in the tutorial? Seen as it comes built in? Align it better with the current onboarding of setting up a project?

Sep 24 '20 13:09 liamjosephsilk

Yeah would be good to add auth to this!

Sep 28 '20 15:09 flybayer

I'm a little confused following the tutorial because auth seems to have been included in the app/generated code but there is no mention of it in the tutorial and there are inconsistencies because of it.

Perhaps there should be a way to start a project with no auth so that following the tutorial makes more sense.

Oct 18 '20 17:10 goleary

@goleary yeah sorry about that, we need to update the tutorial.

Oct 26 '20 22:10 flybayer