Sites in repository can be edited by anyone
Bug #1545491 reported by
Anupam
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
my-webapp-group |
Confirmed
|
Low
|
Matti Rinta-Nikkola |
Bug Description
Currently the "Align" options provides the user a way to match the site inserted by her with the site in repository either by downloading the configuration in repo or by uploading her configuration to the repo overwriting the previous one. The second option is risky as it gives pranksters an opportunity to vandalise the entries in the repository. There should be some security measure like changes made by users have to be approved by the admin before overwriting an repo entry.
To post a comment you must log in.
This is a choice of configuration rather than a bug.
Not all sites on repository are update-able using a app. Try to upload for example wikimedia project or google app site.
Secondly a website on repository is individualised by its url which implies that you will not be able to change its url using app. Also on app there is control that the url must satisfy the url-pattern before you can upload the new configuration.
After all you are right about the security issues you have stated above and I'm well aware them. But I do not have time to start to inspect the individual updates and I do not think it would improve usability. Neither wikipedia strictly controls updates a priori.
The repository is backed up weekly and it could be implemented posterior controls for updates that have been made during the week.
The apps are using parse.com backend for the repository service. Parse.com has announced a late January that it will be fully retired on January 28, 2017. Fortunately they have made site source code public and have published also migration guides. I have taken writing these apps as a pure hobby and I'm willing to invest in the activity only my time. Finding a backend solution paid by others ;) is now my priority problem.