Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Imprecise chapter editing permissions #372

Open
amyjko opened this issue Feb 20, 2024 · 0 comments
Open

Imprecise chapter editing permissions #372

amyjko opened this issue Feb 20, 2024 · 0 comments
Assignees
Labels
defect Something isn't working as intended writing Related to book authoring.

Comments

@amyjko
Copy link
Owner

amyjko commented Feb 20, 2024

Expected behavior

When an author is given permissions to edit a chapter, they should only be able to edit that chapter.

Actual behavior

The front end verifies the condition above, but if a malicious author were to send a request from their client to edit a different chapter, it would be permitted, since the Firestore rule only checks if they have access to edit any chapter. This is not super consequential, but it is wrong.

@amyjko amyjko added defect Something isn't working as intended writing Related to book authoring. labels Feb 20, 2024
@amyjko amyjko self-assigned this Feb 20, 2024
@amyjko amyjko moved this to Backlog in Bookish 1.0 Mar 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
defect Something isn't working as intended writing Related to book authoring.
Projects
Status: Backlog
Development

No branches or pull requests

1 participant