-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't allow deleting the project through the API with just a token #1206
Comments
Yeah, this is not the intended behavior, you're right. If you have the project code, you can use it to authenticate using basic auth and issue a DELETE on the project. That seem to be what we want here. We should just disable the delete endpoint when the clients authenticate using tokens. |
That looks like a layering violation: I wouldn't expect my authentication details to affect what calls I can and cannot do. But that may actually be possible, and that would not be the first weird thing about our API ;) I'm just not sure it's a good idea. |
I'm not sure to understand why this would be bad ? (not sure what is a layering violation). To me, we have different ways to authenticate on the API :
Am I missing something ? |
Here is the summary of the discussion with @zorun on the matter:
|
See #1204 and https://ihatemoney.readthedocs.io/en/latest/security.html#giving-access-to-a-project for context
If you only have an auth token (and not the private code), there's one thing you can do through the API that you cannot do through the web interface: deleting the project. This is annoying, because we would like tokens to have less privilege than the private code (since they are used in invite links)
I see two ways to improve it:
For the second solution, we cannot reliably ask the private code in the body of a DELETE request. We could switch to a POST request instead.
The text was updated successfully, but these errors were encountered: