Currently, some of our views do not check if the user on a page to modify a leaderboard is the owner of that page. While we hide the links in our UI, this is not enough because a malicious user could simply type in the URL.
For example, if a user who does not own the leaderboard with id=19 goes to the route app/leaderboard/19/manage_partcipants the user can modify the participants of the leaderboard. Instead, we should check for this in the view like this:
leaderboard = get_object_or_404(Leaderboard, id=id)
if leaderboard.owner == request.user:
# Do stuff
return render(request, template)
else:
return HttpResponseForbidden(render(request, "403.html"))This very important to fix it because without the website is vulnerable to abuse.
Currently, some of our views do not check if the user on a page to modify a leaderboard is the owner of that page. While we hide the links in our UI, this is not enough because a malicious user could simply type in the URL.
For example, if a user who does not own the leaderboard with
id=19goes to the routeapp/leaderboard/19/manage_partcipantsthe user can modify the participants of the leaderboard. Instead, we should check for this in the view like this:This very important to fix it because without the website is vulnerable to abuse.