Validate User Permission in POST /favorites

Question

Validate User Permission in POST /favorites

geoffturk opened this issue 4 years ago · 3 comments

A user is currently able to add a favorite to an entity not controlled by him. We need to check the user is linked to the entity where the favorite is being added. If not, return a 403 error.

Answer 1 · 2020-05-07T08:55:05.000Z

@LIYINGZHEN Please resolve in #115

Answer 2 · 2020-05-12T02:04:25.000Z

This should be a seperate PR.

Answer 3 · 2020-05-12T07:47:20.000Z

If you prefer. Can you do it before you finish the logging PR then? Or right after?