Skip to content
This repository was archived by the owner on Jan 26, 2021. It is now read-only.

Volunteer should not be able to access another volunteer's url #326

Closed
smarshy opened this issue Jun 2, 2016 · 4 comments
Closed

Volunteer should not be able to access another volunteer's url #326

smarshy opened this issue Jun 2, 2016 · 4 comments
Labels
Type: Bug Bug or Bug fixes.

Comments

@smarshy
Copy link
Contributor

smarshy commented Jun 2, 2016

The following events happen when a volunteer tries to access another volunteer's url using their id -

/shift/view_volunteer_shifts/id - Blank page shows up
/shift/view_hours/id - Blank page shows up
/event/list_sign_up/id - volunteer is able to access
/volunteer/report/id - Blank page shows up
/volunteer/profile/id - Blank page shows up

To avoid blank/error pages and since error codes are difficult to detect as pointed out in #119 , it would maybe be better to show a no volunteers right page for that volunteer
@smarshy smarshy changed the title Volunteer should not be apble to access another volunteer urls Volunteer should not be able to access another volunteer urls Jun 2, 2016
@smarshy smarshy changed the title Volunteer should not be able to access another volunteer urls Volunteer should not be able to access another volunteer's url Jun 2, 2016
@tapaswenipathak tapaswenipathak added the Type: Bug Bug or Bug fixes. label Jun 3, 2016
@mayburgos mayburgos added the gci16 label Dec 3, 2016
necessary129 referenced this issue in necessary129/vms Dec 9, 2016
@necessary129
Stop volunteers from accessing each other's urls.
10f53d1 
Fixes #326
@necessary129 necessary129 mentioned this issue Dec 9, 2016
Merged
necessary129 referenced this issue in necessary129/vms Dec 9, 2016
@necessary129
Stop volunteers from accessing each other's urls.
cf35353 
Fixes #326
@smarshy
Copy link
Contributor Author

smarshy commented Dec 10, 2016

@tapasweni-pathak Should the administrator be able to view these pages? If they are able to view it, it means that they can modify any volunteer's profile, hours, sign up for events etc without their consent.

necessary129 referenced this issue in necessary129/vms Dec 10, 2016
@necessary129
Stop volunteers from accessing each other's urls.
23427e5 
Fixes #326
necessary129 referenced this issue in necessary129/vms Dec 21, 2016
@necessary129
Stop volunteers from accessing each other's urls.
e1ae179 
Fixes #326
also fix the test.
@Yureien
Copy link
Contributor

Yureien commented Jan 13, 2017

While doing this task - Volunteer should not be able to access another volunteer's url, I have noticed that there are some more urls like /volunteer/edit/, volunteer/add_hours/, volunteer/edit_hours/ etc can also be accessed by others, but are not mentioned in the issue list. And for the shift/cancel/ one, when it is accessed by non-authorized people, it shows an Http 403 page, instead of the normal "no rights" page. I'm fixing this in my PR.

@Yureien Yureien mentioned this issue Jan 13, 2017
Closed
necessary129 referenced this issue in necessary129/vms Jan 26, 2017
@necessary129
Stop volunteers from accessing each other's urls.
d750aa8 
Related to #326
also fix the test.
josejibin referenced this issue in josejibin/vms Feb 9, 2017
@necessary129 @josejibin
Stop volunteers from accessing each other's urls.
e7dd0c2 
Related to #326
also fix the test.
@Yureien Yureien mentioned this issue Feb 11, 2017
Merged
@anjali-dhanuka
Copy link
Contributor

@tapasweni-pathak This one is done! It can be closed.

kriti21 referenced this issue in kriti21/vms Feb 12, 2018
@necessary129 @kriti21
Stop volunteers from accessing each other's urls.
3d90903 
Related to #326
also fix the test.
@mayburgos
Copy link
Contributor

PR Merged. Closing Issue.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Type: Bug Bug or Bug fixes.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mayburgos @tapaswenipathak @smarshy @Yureien @anjali-dhanuka