[Security Bug] User can delete any event (Front-end) #832
Assignees
Labels
bug
Something isn't working
Comments
github-actions
bot
added
bug
|
@palisadoes |
|
This will need to be fixed in the API also. Sumitra should he able to guide you on how to do this |
|
Yes. I was thinking to add checks points in both the sides client & server
Is my approach right ? First part (Flutter) I can do 👍🏻 |
|
In general, checks like these are handled by the Backend rather than the frontend. You can use We should do it from Backend. By using simple logic to allow creator and admin only to delete it |
|
For the denied case, the backend throws error message which will be displayed by snackbar |
|
Okay. Got it. |
|
@AdityaBirangal Sure, I can work on this. But if anyone else is interested, then they can take this issue forward (as currently, I already have few issues in my bucket). If no one volunteers, then surely I will create PR myself |
|
Okay. Thank You :) @palisadoes & till then Can I handle this issue in flutter (front-end) ? |
|
@AdityaBirangal go ahead. Link back to this issue and vice versa so both of you can track progress. |
AdityaBirangal
changed the title
AdityaBirangal
added a commit
to AdityaBirangal/talawa
that referenced
this issue
May 24, 2021
palisadoes
added a commit
that referenced
this issue
Jun 26, 2021
…ch merge (#900) * setting up the router * minor fixes * removed unneccasry const keywords * Hiding FAB on reaching end of list * set newsfeed-set_url_page naigation * Update tests regarding the navigation change * Add Posts Model * Implementing Posts Model * Change in newsfeed.dart * event_controller * Group controller * linter fix * PR checks fix * Flutter format * ptch: flutter format linter * refactored the code * Revert "refactored the code" This reverts commit 9a7ddb6. * test * controller add * query update * tile addition * pagination * flutter format * ptch: Add & Implement EventsModal * ptch: Add & Implement OrgMember * script for automatically adding trailing commas * added description to the funtions, added the script in pull-request.yml * refac: fixes linting issues * Logic correction and flutter formatting * Added MVVM * Added mdoel to the locator and debugging * Flutter Format * Fixing travis tests * Add FutureBuilder Logic To Main.dart * logic correction * setted MVVM structure * Attached viewModel * reduced lines * refactored and completed local device test. * updated tests * Add news_article+page_view_model.dart * Implements the ViewModel * ptch: Updated the Test * ptch: flutter linting * logic correction * minor error fixing after merge conflict * minor error fixing after merge conflict * minor error fixing after merge conflict * Flutter format * Fixing errors * Updated Tests * ptch: Adding Comment Bug Fix * ptch: flutter linitng * ptch: test update * Fixed code formatting * bfix: fixes comment count not updating on newsfeed * ptch: Change in Loader * ptch: Change in Loader * ptch: added default parameter in Loader * logic correction * upstream fetch * Flutter format . * conflict * Url controller * url page controller addn * controller registration * Unused files removal * Adding test * conflict resoved * fixing tests * Fixed errors * Flutter format . * Flutter Format * Merge remote-tracking branch 'upstream/master' into newPagination * flutter format . * flutter format * flutter format . * Fixes #793 * flutter format . * fixed changes * flutter format * Merge remote-tracking branch 'upstream/master' into provider-add * flutter format . * fixed formatting * Fixed formatting * Merge remote-tracking branch 'upstream/master' into provider-add * Merge remote-tracking branch 'upstream/master' into provider-add * Fixed travis build fail * chore: fixes linting issue * events update * ptch: Flutter lint * ptch: Replace the Column with Listview in Loader.dart * controlller add * flutter format . * Image Handler * Image Ui and Controller Connection * Test Updates * uniformisation * Code style prttification * app localization and language controller addition * language * logic correction with generalised approach rather than specific case-wise approach * change of a minor error in pull-request.yml * addition of justified docstrings and methodogy * correction of a specific case in group_controller.dart's formatting * increasing the legibility of the code * removed usused import from post_cotroller.dart for resubmitting for the build * Fix : Not able to close pop up in Join Organization Screen #815 Bug was caused due to Page context was used in close button instated new context of builder. Fix: Refactor : ctx -> dialogContext Change : context -> dialogContext (line 142) * undoing the change in pubspec.yaml for travis CI build * Splash Screen Added * travis ci fix * fix * http ^0.12.0+4 * fix * dependency overide * dependency overide * dependency change * compatible packages * adding crypto 2.1.3 * crypto: 3.0.1 * To rerun travis ci * Done : code formatting * Red screen error resolved from the update profile page(Issue #824) * [Fix] RenderFlex overflow in Member details Screen * Merge branch 'functionality-to-crop-picture' of https://github.com/afaanshariff/talawa into functionality-to-crop-picture * resolved merge conflicts * resolved exceptions in image_service.dart * resolved exceptions in image_service.dart * Organisation setting bug fix - Fixes bug #833 - Code reformatting of profile_page_viewModel.dart and profile_page.dart * Updated CONTRIBUTING.md with new Branching Strategy * Removed gitflow from CONTRIBUTING.md * Fixed typo in CONTRIBUTING.md * User will not able to delete others event fix #832 * Simplification of LeaveOrg and OrgSetting Button * Using snake case in file names - Flutter SDK was showing Warning as the Camel case was used in the file names so the file was renamed as snake case. * Organisations directory file size reduction - dart file size reduction (under 300 lines) of files under "lib/views/pages/organization" directory - Code refactored and reformatted * Users can't see an option to delete if they are not allowed * Fixes #840 * Fixes #840 * Minor change : Ternary operators removed * event_dialog file size reduction - Widgets common between add_event_dialog.dart and edit_event_dialog.dart have been separated into file event_widgets.dart - Data is passed as parameter - Register form also reformatted * Organization names are displayed in sorted order. * File size reduction set_url_page.dart * Reformatted - Reformatted with flutter format - URL Page Animation extracted and moved to other file * Update register_form_test.dart * Update pull_request_template.md * String refactoring (#829) * lang addition * lng-add * static string removal * language changes * chgs in main * test update * Language selector UI (#837) * ui added * adding lng widget * bug fix * test upd * Edit Event page bug fix (#875) * [Fix] Event list shows wrong data after deleting an event (#817) * chore: fixes linting issue * ptch: replaces event list with displayed events list * Refactor of the toast widget and deletion of `snackbar.dart` (#813) * Replacing extra widgets for toasts with Custom Toast and making it uniform * removed snackbar.dart due to no implementation * flutter format * merge conflict resolved Co-authored-by: rutvik11062000 <[email protected]> Co-authored-by: Brandon Chung <[email protected]> Co-authored-by: Astha Nayak <[email protected]> Co-authored-by: raunak_k02 <[email protected]> Co-authored-by: ahluwaliatikant <[email protected]> Co-authored-by: StrangeNoob <[email protected]> Co-authored-by: Sumitra Saksham <[email protected]> Co-authored-by: afaanshariff <[email protected]> Co-authored-by: Troy Anderson <[email protected]> Co-authored-by: Shreyash Lata <[email protected]> Co-authored-by: Sagar Utekar <[email protected]> Co-authored-by: Peter Harrison <[email protected]> Co-authored-by: AFFAN SHARIFF <[email protected]> Co-authored-by: Aditya Birangal <[email protected]> Co-authored-by: Sumitra Saksham <[email protected]> Co-authored-by: Muskan Modi <[email protected]> Co-authored-by: Muskan Modi <[email protected]> Co-authored-by: Aman Anand <[email protected]> Co-authored-by: DangaRanga <[email protected]> Co-authored-by: Piyush Goel <[email protected]> Co-authored-by: Raunak Kumar <[email protected]>
palisadoes
added a commit
that referenced
this issue
Jun 29, 2021
* Added mdoel to the locator and debugging * Flutter Format * Fixing travis tests * Add FutureBuilder Logic To Main.dart * logic correction * setted MVVM structure * Attached viewModel * reduced lines * refactored and completed local device test. * updated tests * Add news_article+page_view_model.dart * Implements the ViewModel * ptch: Updated the Test * ptch: flutter linting * logic correction * minor error fixing after merge conflict * minor error fixing after merge conflict * minor error fixing after merge conflict * Flutter format * Fixing errors * Updated Tests * ptch: Adding Comment Bug Fix * ptch: flutter linitng * ptch: test update * Fixed code formatting * bfix: fixes comment count not updating on newsfeed * ptch: Change in Loader * ptch: Change in Loader * ptch: added default parameter in Loader * logic correction * upstream fetch * Flutter format . * conflict * Url controller * url page controller addn * controller registration * Unused files removal * Adding test * conflict resoved * fixing tests * Fixed errors * Flutter format . * Flutter Format * Merge remote-tracking branch 'upstream/master' into newPagination * flutter format . * flutter format * flutter format . * Fixes #793 * flutter format . * fixed changes * flutter format * Merge remote-tracking branch 'upstream/master' into provider-add * flutter format . * fixed formatting * Fixed formatting * Merge remote-tracking branch 'upstream/master' into provider-add * Merge remote-tracking branch 'upstream/master' into provider-add * Fixed travis build fail * chore: fixes linting issue * events update * ptch: Flutter lint * ptch: Replace the Column with Listview in Loader.dart * controlller add * flutter format . * Image Handler * Image Ui and Controller Connection * Test Updates * uniformisation * Code style prttification * app localization and language controller addition * language * logic correction with generalised approach rather than specific case-wise approach * change of a minor error in pull-request.yml * addition of justified docstrings and methodogy * correction of a specific case in group_controller.dart's formatting * increasing the legibility of the code * removed usused import from post_cotroller.dart for resubmitting for the build * Fix : Not able to close pop up in Join Organization Screen #815 Bug was caused due to Page context was used in close button instated new context of builder. Fix: Refactor : ctx -> dialogContext Change : context -> dialogContext (line 142) * undoing the change in pubspec.yaml for travis CI build * Splash Screen Added * travis ci fix * fix * http ^0.12.0+4 * fix * dependency overide * dependency overide * dependency change * compatible packages * adding crypto 2.1.3 * crypto: 3.0.1 * To rerun travis ci * Done : code formatting * Red screen error resolved from the update profile page(Issue #824) * [Fix] RenderFlex overflow in Member details Screen * Merge branch 'functionality-to-crop-picture' of https://github.com/afaanshariff/talawa into functionality-to-crop-picture * resolved merge conflicts * resolved exceptions in image_service.dart * resolved exceptions in image_service.dart * Organisation setting bug fix - Fixes bug #833 - Code reformatting of profile_page_viewModel.dart and profile_page.dart * Updated CONTRIBUTING.md with new Branching Strategy * Removed gitflow from CONTRIBUTING.md * Fixed typo in CONTRIBUTING.md * User will not able to delete others event fix #832 * Simplification of LeaveOrg and OrgSetting Button * Using snake case in file names - Flutter SDK was showing Warning as the Camel case was used in the file names so the file was renamed as snake case. * Organisations directory file size reduction - dart file size reduction (under 300 lines) of files under "lib/views/pages/organization" directory - Code refactored and reformatted * Users can't see an option to delete if they are not allowed * Fixes #840 * Fixes #840 * Minor change : Ternary operators removed * event_dialog file size reduction - Widgets common between add_event_dialog.dart and edit_event_dialog.dart have been separated into file event_widgets.dart - Data is passed as parameter - Register form also reformatted * Organization names are displayed in sorted order. * File size reduction set_url_page.dart * Reformatted - Reformatted with flutter format - URL Page Animation extracted and moved to other file * Update register_form_test.dart * Added linting,actions and other repo related files * Preauth screens with applogo native,flutter splash screens * Fonts added - refactor * Add HomePage * Add widget test for homepage * update line limit to 400 in countline.py * HomePage starter UI * Updated the tests * Updated GitHub workflow to exclude 'lib/custom_painters/talawa_logo.dart'. Fixes #856 * Updated GitHub workflow to exclude 'lib/custom_painters/talawa_logo.dart'. Fixes #856 * Updated GitHub workflow to exclude 'lib/custom_painters/talawa_logo.dart'. Fixes #856 * Add themeclass for light and dark theme * Refractor textstyles * Delete textstyles.dart * Update pull_request_template.md * [GSoC] - Code re-write and migration (#863) * Validators,Plugins,File structuring,Test fail fix and joinorg,waiting pages * Updated the workflow for minimum coverage, will we reverted back soon * [Gsoc ] Added UI and implemented MVVM started on OrganizationFeedPage (#864) * Added CustomCarousel * Added models * Removing linting problems * Fixed errors except sort dependency * Completed - demo data and models implemented MVVM * Removed problems * [GSoC] Deeplinking in application for invitation links, renaming according to lint (#866) * Validators,Plugins,File structuring,Test fail fix and joinorg,waiting pages * Updated the workflow for minimum coverage, will we reverted back soon * Deeplinking for invitation links completed * [Gsoc] Added Individual Post Page , Pinned post Page (#867) * Added CustomCarousel * Added models * Removing linting problems * Fixed errors except sort dependency * Completed - demo data and models implemented MVVM * Removed problems * Finished Pinned Post Page and Individual Post Page * [GSoC] - Pre-auth view_models and model implementation, refactor needed (#868) * Validators,Plugins,File structuring,Test fail fix and joinorg,waiting pages * Updated the workflow for minimum coverage, will we reverted back soon * Deeplinking for invitation links completed * Pre-auth view_models and model implementation, refactor needed * [GSoC] Added UI with basic implementation of MVVM started for Explore Events Screen (#870) * add explore events page with mvvm * modify tests * add eventInfo Page and createEvent Page (#874) * [GSoC] - Pre-auth new navigation flow completion with server linking (#878) * Validators,Plugins,File structuring,Test fail fix and joinorg,waiting pages * Updated the workflow for minimum coverage, will we reverted back soon * Deeplinking for invitation links completed * Pre-auth view_models and model implementation, refactor needed * Minor route fixes * [GSoC] - Test Fix, invite link deprecation fix (#880) * Model refactoring and invite link fix * # This is a combination of 2 commits. # This is the 1st commit message: fix test failure # This is the commit message #2: Added flutter analyser * [GSoC] homeview UI refractoring and adding drawer UI (#881) * fixed generated plugin error * Refactored UI for dark mode * Added drawer UI * Added Drawer UI * [GSoC] Created "Add post page" UI (#884) * fixed generated plugin error * Created Add Post Page UI * Updated Home page test * [GSoC] - Organisation Switching from drawer (#885) * Added flutter analyzer * Switiching org from drawer and minor bug fixes * Added test for splash screen * [GSoC] Add Profile and Edit Profile screens with MVVM (#886) * add profile and edit profile screen * delete home_page.dart and fix profile textfield * [GSoC] - Update the UserConfig to get realtime updates (#887) * fixed generated plugin error * Used subscriptions to get realtime UI updates. * Updated tests * Refactored to work with stream data (#888) * fixed generated plugin error * Used subscriptions to get realtime UI updates. * Updated tests * refactored to work with the stream data * Fixed travis build error * Analyzer fixes * [GSoC] - Refactoring, common alert popup & test (#889) * Refactoring, common alert popup & test' * talawa analysis point increment * [GSoC] - Connected Post Service with backend and switch organization service (#890) * fixed generated plugin error * Used subscriptions to get realtime UI updates. * Updated tests * refactored to work with the stream data * Fixed travis build error * Analyzer fixes * Inital code for post service * Added Stream setup for posts * Integrated post service and preserved page state * Fixing the analyzer * Tests updates * Refactoring and join org page after auth (#891) * [GSoC] - Mockito testing setup with the services || Service Stream Refactoring (#893) * fixed generated plugin error * Used subscriptions to get realtime UI updates. * Updated tests * refactored to work with the stream data * Fixed travis build error * Analyzer fixes * Inital code for post service * Added Stream setup for posts * Integrated post service and preserved page state * Fixing the analyzer * Tests updates * Refactored Services & added Local cache "LIKE" fun * Finished mocking the services using Mockito * Fixing the travis build failure * [GSoC] Connect explore events and create events with the backend (#894) * connect explore events with backend * add create event functionality * Fix failing tests * [GSoC] - Refactoring in functions class, use of global model for post (#895) * Refactoring in functions class, use of global model for post * Merge conflicts fix * [GSoC] Add validation for create_event_form.dart and refractor. (#896) * fix events not displaying issue * Remove unused imports * Updated connectivity_plus plugin (#899) * GSoC - Adding / Removing || Adding comment (#903) * fixed generated plugin error * Added like functionality * Added Removing like feature * Added comment feature without single source truth * Added comment features and Updated test. Co-authored-by: rutvik11062000 <[email protected]> * GSoC branch lang controller addition (#897) * language controller and befor auth language addition * Pubspec update * test changes * test updates * Updates * test updated * language updates * selection test case updated * Final Updates * viewmodel update * Test file updates * Flutter code analyze update Co-authored-by: rutvik11062000 <[email protected]> Co-authored-by: Shreyash Lata <[email protected]> Co-authored-by: Astha Nayak <[email protected]> Co-authored-by: StrangeNoob <[email protected]> Co-authored-by: raunak_k02 <[email protected]> Co-authored-by: Sagar Utekar <[email protected]> Co-authored-by: Peter Harrison <[email protected]> Co-authored-by: afaanshariff <[email protected]> Co-authored-by: AFFAN SHARIFF <[email protected]> Co-authored-by: ahluwaliatikant <[email protected]> Co-authored-by: Aditya Birangal <[email protected]> Co-authored-by: Muskan Modi <[email protected]> Co-authored-by: Muskan Modi <[email protected]> Co-authored-by: Troy Anderson <[email protected]> Co-authored-by: Aman Anand <[email protected]> Co-authored-by: DangaRanga <[email protected]> Co-authored-by: Piyush Goel <[email protected]> Co-authored-by: CyberWake <[email protected]> Co-authored-by: Utkarsh S <[email protected]> Co-authored-by: Rutvik Chandla <[email protected]> Co-authored-by: CyberWake <[email protected]> Co-authored-by: rutvik11062000 <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Normal user can delete events created by other user/admin
To Reproduce
Steps to reproduce the behavior:
Expected behavior
User should not able to delete event created by others.
Actual behavior
User is able to delete others event
Screenshots
If applicable, add screenshots to help explain your problem.
Additional details
Github Externship Appication No. :
20-05_Adi500_tfa_262Backed : Issue for API PalisadoesFoundation/talawa-api#261
The text was updated successfully, but these errors were encountered: