Enforce Permissions on API #5

New Issue

Closed

opened 2024-03-17 23:16:15 +00:00 by corbz · 3 comments

corbz commented 2024-03-17 23:16:15 +00:00

Owner

Copy Link

For both posting the the listview and patch/put/get for the details view, add a permission that prevents server non-admin users from making writes.

This may require a discord api call which is why this should only be checked on a per-subscription interaction basis, oppose to when loading many, as many api calls will cause rate limits and slow response times.

For both posting the the listview and patch/put/get for the details view, add a permission that prevents server non-admin users from making writes. This may require a discord api call which is why this should only be checked on a per-subscription interaction basis, oppose to when loading many, as many api calls will cause rate limits and slow response times.

corbz added the

enhancement

label 2024-03-17 23:16:15 +00:00

corbz added this to the PYRSS project 2024-03-17 23:16:15 +00:00

corbz commented 2024-04-26 22:33:35 +00:00

Author

Owner

Copy Link

With the changes mentioned in issue #4, I've implemented server side filtering so that only certain user's can interact with the api for subscriptions, but as of now the user can impersonate admins or server owners, by modifying the data returned to the server upon creating a new instance of savedguild.

With the changes mentioned in issue #4, I've implemented server side filtering so that only certain user's can interact with the api for subscriptions, but as of now the user can impersonate admins or server owners, by modifying the data returned to the server upon creating a new instance of savedguild.

corbz changed title from Prevent subscription write changes from non-admins to Enforce Permissions on API 2024-09-07 20:38:04 +00:00

corbz commented 2024-09-07 20:39:40 +00:00

Author

Owner

Copy Link

Currently users are restricted to accessing subscriptions and filters that they are permitted to view, meaning the original purpose of this ticket is completed.

However, the latest scope of the project includes tracked content, representing content from RSS feeds that has been processed.

Access to tracked content is not limited by permissions as the other objects are, this should be fixed.

Currently users are restricted to accessing subscriptions and filters that they are permitted to view, meaning the original purpose of this ticket is completed. However, the latest scope of the project includes tracked content, representing content from RSS feeds that has been processed. Access to tracked content is not limited by permissions as the other objects are, this should be fixed.

corbz closed this issue 2024-09-07 20:39:40 +00:00

corbz reopened this issue 2024-09-07 20:39:43 +00:00

corbz commented 2024-09-07 21:01:01 +00:00

Author

Owner

Copy Link

I have limited access to various api endpoints, including tracked content, to the proper authenticated users.

I have limited access to various api endpoints, including tracked content, to the proper authenticated users.

corbz closed this issue 2024-09-07 21:01:01 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

dev

port-tables-css-to-scss

staging

models-rewrite

api-home-dev

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.2

v0.2.1

v0.1.13

v0.1.12

v0.1.11

v0.1.10

v0.1.9

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

Labels

Clear labels

bug

Something is not working

duplicate

This issue or pull request already exists

enhancement

New feature

help wanted

Need some help

invalid

Something is wrong

question

More information is needed

wontfix

This won't be fixed

No Label

enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project PYRSS

Assignees

Clear assignees

corbz

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: corbz/PYRSS-Website#5

No description provided.