NN API Route #90
NN API Route #90
Conversation
WillNilges
force-pushed
the
willnilges/nn
branch
from
822ae67
to
f2afed1
Compare
|
I still need to update the Network Number Assignment route to take an Install Number. |
|
The tests (and the nn route) will need to consider secondary node numbers on buildings. They also need to be updated to take network numbers and not building IDs. |
|
Tests to write:
Do we want an option to "Force" a network number? |
Oh, duh. |
src/meshapi/migrations/0021_alter_install_install_number_and_more.py
Outdated
Show resolved
Hide resolved
src/meshapi/views.py
Outdated
| join_form_member.first_name = r.first_name | ||
| join_form_member.last_name = r.last_name |
There was a problem hiding this comment.
Flagging this again, sorry for the churn, but as I reflect on this I think we probably should make the admins be responsible for updating these if they need changing. This "malicious name editing" problem is a big security hole that we likely wouldn't even notice was being exploited (and would have a hard time repairing)
I guess if they give us an email that we already know about, we should just ignore the contents of the first_name, last_name, and phone fields for safety? I don't like it but I think it's the best we can do without making them validate their email or something (which we don't want to do for friction reasons)
There was a problem hiding this comment.
I suppose so. If we're going to do that, then we probably ought to return a flag that indicates, "hey, we know who this person is in some capacity", probably if_deduplicated_on_email: bla bla bla
There was a problem hiding this comment.
Like return it to the caller? Doesn't that expose yet another vulnerability? 🫤
There was a problem hiding this comment.
I think people would be confused if they join, get installed, three years go by, they change their email, they move, they fill out the join form again, and they get a "yup hey thanks we got you thanks very much", and then they get deadnamed in the email.
That's one example but YKWIM? If we're just gonna drop the information on the floor then we need to somehow let somebody know that we did that.
So right now we have a few options:
- Create a new Member with every join form submission
- Destructively update Member information deduped on email
- Destructively update Member information deduped on email but we have some kind of validation maybe
- Dedupe on email and throw peoples' updated information on the floor and tell them
- Dedupe on email and throw peoples' updated information on the floor and don't tell them
- ??? Something else :0 ???
Something to keep in mind while you think about vulnerabilities is that we'll have this gated with capchas. We have to at least do that.
There was a problem hiding this comment.
I think we take this away into the issue I created: #93
Provide a Building ID (not a BIN, we need the ID of a building already in our database). Look for a free NN among the buildings already in our DB, and assign a number. I wrote a basic test.
TODO: