Skip to content
This repository has been archived by the owner on Mar 13, 2020. It is now read-only.

API requests need to know what user is sending them and respond appropriately #2

Open
dougmakingstuff opened this issue Apr 25, 2019 · 0 comments
Open

API requests need to know what user is sending them and respond appropriately #2

dougmakingstuff opened this issue Apr 25, 2019 · 0 comments
Labels
api API issue critical Severity: Critical on hold Status: on hold security Security issue

Comments

@dougmakingstuff
Copy link
Contributor

Right now, if you have a copy of Postman, you can get any data from any of the API endpoints, regardless of whether or not you should access that data.

We need to lock down the API so that:

  • Only authenticated, authorized users can request data
  • Users only see the data they are authorized to see. For example, a property manager should not be able to request data on a tenant that does not live on one of their properties.
@dougmakingstuff dougmakingstuff added api API issue on hold Status: on hold critical Severity: Critical security Security issue labels Apr 25, 2019
@dougmakingstuff dougmakingstuff mentioned this issue Apr 25, 2019
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
api API issue critical Severity: Critical on hold Status: on hold security Security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dougmakingstuff