Secret key
Opened this issue · 0 comments
ryanb commented
The xapit/reload
controller action is public and accessible to everyone. This should be protected and require some kind of authorization so the public users cannot trigger it.
This should be possible with a simple key setting. Maybe like this:
XapitSync.private_key = "alsdhskdfhlizhzlsdfhkwe"
If this exists then it is required that this be specified in the URL when triggering xapit controller actions.