You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When an author is given permissions to edit a chapter, they should only be able to edit that chapter.
Actual behavior
The front end verifies the condition above, but if a malicious author were to send a request from their client to edit a different chapter, it would be permitted, since the Firestore rule only checks if they have access to edit any chapter. This is not super consequential, but it is wrong.
The text was updated successfully, but these errors were encountered:
Expected behavior
When an author is given permissions to edit a chapter, they should only be able to edit that chapter.
Actual behavior
The front end verifies the condition above, but if a malicious author were to send a request from their client to edit a different chapter, it would be permitted, since the Firestore rule only checks if they have access to edit any chapter. This is not super consequential, but it is wrong.
The text was updated successfully, but these errors were encountered: