FEAT: Prevent self question

[yogiprsetya]

Prevent self question

Description

We don't know what the free tier will be like in the future, it's better if we make DB writes more efficient.

[vercel]

Someone is attempting to deploy a commit to a Personal Account owned by @mazipan on Vercel.

@mazipan first needs to authorize it.

[mazipan]

Hmmm, actually user can update the slug after first login.
So detecting by matching with the email is misslead.

[mazipan]

The correct one is by matching the uid.
But for the public page, I already strip the uid from the response for security purposes 😂

[mazipan]

This feature seems quite hard to solve for now.

[mazipan]

One approach that I can think is:

• Passing authorization token, if user logged in
• In the server API:
  • Get session by the token
  • Get uid from the session we get (if exist)
  • if the uid is the same with the owner of the question, you can reject it.

Seems complicated and adding at least 1 API call to the session DB

[lukisxyz]

hi sir, how about comparing slug from browser URL and slug from account info?, we can do this on file src/modules/PublicQuestionPage/QuestionForm.tsx ?

when owner of the page click Kirim Pertanyaan button, just show a dialog to tell that owner of the page cannot ask to themself

[mazipan]

Oh yes, it's possible I guess 🎉

Just can we also adding a way to submit question for our self?
In some cases, let say for testing, maybe we need that 🙈

For initial, can we enable the feature on the process.env.NODE_ENV === 'production' only? Or adding new env var NEXT_PUBLIC_ENABLE_SELF_SUBMISSSION

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
tanyaaja	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Oct 16, 2023 10:07pm