Skip to content
This repository was archived by the owner on Jan 26, 2021. It is now read-only.

Volunteer should not be able to access another volunteer's url #326

Closed
smarshy opened this issue Jun 2, 2016 · 4 comments
Closed

Volunteer should not be able to access another volunteer's url #326

smarshy opened this issue Jun 2, 2016 · 4 comments
Labels
Type: Bug Bug or Bug fixes.

Comments

@smarshy
Copy link
Contributor

smarshy commented Jun 2, 2016

The following events happen when a volunteer tries to access another volunteer's url using their id -

/shift/view_volunteer_shifts/id - Blank page shows up
/shift/view_hours/id - Blank page shows up
/event/list_sign_up/id - volunteer is able to access
/volunteer/report/id - Blank page shows up
/volunteer/profile/id - Blank page shows up

To avoid blank/error pages and since error codes are difficult to detect as pointed out in #119 , it would maybe be better to show a no volunteers right page for that volunteer
@smarshy smarshy changed the title Volunteer should not be apble to access another volunteer urls Volunteer should not be able to access another volunteer urls Jun 2, 2016
@smarshy smarshy changed the title Volunteer should not be able to access another volunteer urls Volunteer should not be able to access another volunteer's url Jun 2, 2016
@tapaswenipathak tapaswenipathak added the Type: Bug Bug or Bug fixes. label Jun 3, 2016
@mayburgos mayburgos added the gci16 label Dec 3, 2016
necessary129 referenced this issue in necessary129/vms Dec 9, 2016
@necessary129
Stop volunteers from accessing each other's urls.
10f53d1 
Fixes #326
@necessary129 necessary129 mentioned this issue Dec 9, 2016
Merged
necessary129 referenced this issue in necessary129/vms Dec 9, 2016
@necessary129
Stop volunteers from accessing each other's urls.
cf35353 
Fixes #326
@smarshy
Copy link
Contributor Author

smarshy commented Dec 10, 2016

@tapasweni-pathak Should the administrator be able to view these pages? If they are able to view it, it means that they can modify any volunteer's profile, hours, # for events etc without their consent.

necessary129 referenced this issue in necessary129/vms Dec 10, 2016
@necessary129
Stop volunteers from accessing each other's urls.
23427e5 
Fixes #326
necessary129 referenced this issue in necessary129/vms Dec 21, 2016
@necessary129
Stop volunteers from accessing each other's urls.
e1ae179 
Fixes #326
also fix the test.
@Yureien
Copy link
Contributor

Yureien commented Jan 13, 2017

While doing this task - Volunteer should not be able to access another volunteer's url, I have noticed that there are some more urls like /volunteer/edit/, volunteer/add_hours/, volunteer/edit_hours/ etc can also be accessed by others, but are not mentioned in the issue list. And for the shift/cancel/ one, when it is accessed by non-authorized people, it shows an Http 403 page, instead of the normal "no rights" page. I'm fixing this in my PR.

@Yureien Yureien mentioned this issue Jan 13, 2017
Closed
necessary129 referenced this issue in necessary129/vms Jan 26, 2017
@necessary129
Stop volunteers from accessing each other's urls.
d750aa8 
Related to #326
also fix the test.
josejibin referenced this issue in josejibin/vms Feb 9, 2017
@necessary129 @josejibin
Stop volunteers from accessing each other's urls.
e7dd0c2 
Related to #326
also fix the test.
@Yureien Yureien mentioned this issue Feb 11, 2017
Merged
@anjali-dhanuka
Copy link
Contributor

@tapasweni-pathak This one is done! It can be closed.

kriti21 referenced this issue in kriti21/vms Feb 12, 2018
@necessary129 @kriti21
Stop volunteers from accessing each other's urls.
3d90903 
Related to #326
also fix the test.
@mayburgos
Copy link
Contributor

PR Merged. Closing Issue.

# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
Type: Bug Bug or Bug fixes.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mayburgos @tapaswenipathak @smarshy @Yureien @anjali-dhanuka