Security fix: no more matricola moving #108
Conversation
|
There is an unexpected bug during "signup" workflow. Please, wait merge until fixed. |
|
Ok, now this is a full working patch. When you have time you can start to have a look. |
| @@ -86,12 +85,13 @@ exports.handleMatricola = function (request, response) { | |||
|
|
|||
| try { | |||
| studentInfo.Token = crypto.randomBytes(20).toString("hex"); | |||
| delete studentInfo.Matricola; | |||
There was a problem hiding this comment.
You should explain why here you need to delete Matricola.
There was a problem hiding this comment.
When a user send a request for changing his data, we identify him with login status. If he can modify, we read all previous data, where is present 'matricola' and start the dance between functions. But we don't want to make 'matricola' editable, so I remove it from the object with all (editable) data.
There was a problem hiding this comment.
Do you mean that the matricola is present on disk because we allowed it earlier? If so, I suggest to automatically remove the matricola from all files on disk, rather than adding ad-hoc hacks for cleansing the object model opportunistically.
There was a problem hiding this comment.
If we remove matricola from all students' datasets probably then we have to write an hacks to get matricola number from the file name because we use it in different places.
|
Thanks, merging! |
Security fix: no more matricola moving
We used to pass also 'matricola' every time we edit info.
Now 'matricola' is the login name and can't be modified via API.