Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: Landscape profile images are accessible via URL without authentication #398

Open
shrouxm opened this issue Apr 4, 2023 · 0 comments
Open

bug: Landscape profile images are accessible via URL without authentication #398

shrouxm opened this issue Apr 4, 2023 · 0 comments
Labels
bug

Comments

@shrouxm
Copy link
Member

shrouxm commented Apr 4, 2023

Description

Landscape profile images are accessible without authentication, even for private landscapes.

Steps To Reproduce

  1. Go to a landscape profile that is not accessible without logging into Terraso
  2. Right click the profile image and select "Copy image link" (or whatever your browser calls this action)
  3. Open a private tab where you are not logged into Terraso, and paste that link

Expected behavior

The image should return a 404.

Actual behavior

The image appears.

Additional context

We should in fixing this issue review how we are managing access control on all of our static files so this doesn't happen unexpectedly with future potentially private data.
@shrouxm shrouxm added the 1000L label Apr 4, 2023
@shrouxm shrouxm added this to Terraso Apr 4, 2023
@shrouxm shrouxm added the bug label Jun 19, 2023
@DerekCaelin DerekCaelin removed the 1000L label Apr 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
Terraso
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shrouxm @DerekCaelin