API inconcistent in returning 404/403 depending on permission check used #66

thervh70 · 2015-07-11T22:14:34Z

A public user who tries to view a private announcement will get a 404.
However if it tries to delete a private anouncement it will get served a 403 error (Forbidden)
In that case it will know that there somehow is an announcement carrying that id.

ajrouvoet · 2015-07-11T22:15:52Z

This is not really a security issue as an api inconsistency, sometimes you'll get a 404, sometimes a 403 depending on the method used for permission checking (dynamic in database vs dynamic in python vs static)

thervh70 added the Security label Jul 11, 2015

thervh70 removed the Security label Jul 11, 2015

ajrouvoet changed the title ~~Public users can indirectly find announcements~~ API inconcistent in returning 404/403 depending on permission check used Jul 11, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

API inconcistent in returning 404/403 depending on permission check used #66

API inconcistent in returning 404/403 depending on permission check used #66

thervh70 commented Jul 11, 2015

ajrouvoet commented Jul 11, 2015

API inconcistent in returning 404/403 depending on permission check used #66

API inconcistent in returning 404/403 depending on permission check used #66

Comments

thervh70 commented Jul 11, 2015

ajrouvoet commented Jul 11, 2015