Sites in repository can be edited by anyone

Bug #1545491 reported by Anupam
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
my-webapp-group
Confirmed
Low
Matti Rinta-Nikkola

Bug Description

Currently the "Align" options provides the user a way to match the site inserted by her with the site in repository either by downloading the configuration in repo or by uploading her configuration to the repo overwriting the previous one. The second option is risky as it gives pranksters an opportunity to vandalise the entries in the repository. There should be some security measure like changes made by users have to be approved by the admin before overwriting an repo entry.

Revision history for this message
Matti Rinta-Nikkola (matti-rintanikkola-d) wrote :

This is a choice of configuration rather than a bug.
Not all sites on repository are update-able using a app. Try to upload for example wikimedia project or google app site.
Secondly a website on repository is individualised by its url which implies that you will not be able to change its url using app. Also on app there is control that the url must satisfy the url-pattern before you can upload the new configuration.
After all you are right about the security issues you have stated above and I'm well aware them. But I do not have time to start to inspect the individual updates and I do not think it would improve usability. Neither wikipedia strictly controls updates a priori.
The repository is backed up weekly and it could be implemented posterior controls for updates that have been made during the week.
The apps are using parse.com backend for the repository service. Parse.com has announced a late January that it will be fully retired on January 28, 2017. Fortunately they have made site source code public and have published also migration guides. I have taken writing these apps as a pure hobby and I'm willing to invest in the activity only my time. Finding a backend solution paid by others ;) is now my priority problem.

Changed in my-webapp-group:
status: New → Confirmed
importance: Undecided → Low
assignee: nobody → Matti Rinta-Nikkola (matti-rintanikkola-d)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.