Bug: The Set User Roles interface has no request method restriction
Closed this issue · 5 comments
You indicate in the document that the request method of the /wolf/user-role/set interface is POST, but I test accidentally found that the PUT method can also be successful. Is this a bug?
I have not tested other interfaces, please test other by the way
Another problem :
- Even if the user's appID list does not have this application, the role binding of this application can still be added and it can take effect
- Do a reverse experiment,
Directly delete the application in the user's appID list without first deleting the role binding under this application, then its role binding can still take effect
I don’t know this is express designed by you or a bug, Hope you can answer.
You indicate in the document that the request method of the /wolf/user-role/set interface is POST, but I test accidentally found that the PUT method can also be successful. Is this a bug?
This is a known problem, there is no strict verification of the http request method, POST and PUT mixed should not have any problems.
Even if the user's appID list does not have this application, the role binding of this application can still be added and it can take effect
This problem is currently controlled from theConsoleinterface. The backend interface has not yet been validated for this. I'll find some time later to work on the corresponding checksum issue. Or do you have time to address this issue and submit a PR?
Oh my god, LOL ;-) Just now, I did the test again.
I found that there are no effective restrictions in many places (For example, use the add user interface to add non-existent applications to the appID list)
Maybe your intention is to rely on the console front end to control,But there are so many scenarios using API,It is not elegant enough not to restrict the backend.
This problem is currently controlled from the Console interface. The backend interface has not yet been validated for this. I'll find some time later to work on the corresponding checksum issue. Or do you have time to address this issue and submit a PR?
I think this task is huge, maybe you can try to modify one interface as an example, I will try to modify other interfaces according to this example
Okay, I'll add this to my TODO list and work on it as soon as possible.