Skip to main content

Winstogram 'Unable to edit' bug fix

·441 words·3 mins
Web Development Python
Josh
Author
Josh
I’m a Year 12 student studying Data Science and Web Dev, looking into a future in Cyber Security
WINSTON - This article is part of a series.
Part 1: Time to get started on W.I.N.S.T.O.N. (Data)
Part 2: Time to get started on W.I.N.S.T.O.N. (Web)
Part 3: Winston Wk 1 | Blender Python Library & issues with Conda
Part 4: Winston Wk 1 | Data Formatting Plans
Part 5: Winston Wk 2 | Blender Python Library, Creating Objects and Meshes
Part 6: Winston Wk 2 | The start of Winstogram
Part 7: Winston Wk 3 | Methods of Data Visualisation
Part 8: Winston Wk 3 | Database Setup
Part 9: Winston Wk 4 | ASCII Works. Creating a Mesh from a Point Cloud?
Part 10: Winston Wk 4 | Winstogram Lives! Admin also..
Part 11: Winston Wk 5 | The BALL PIVOTING ALGORITHM
Part 12: Winston Wk 5 | Update looks and collections!
Part 13: Winston Wk 6 | Live Data Feed
Part 14: Winston Wk 6 | API Implementation
Part 15: Winston Wk 7 | API & Inifinite Scroll
Part 16: Winston Wk 8 | Update Looks and Forgot Password
Part 17: Winston Wk 9 | Comments and Testing
Part 18: Winston Wk 10 | ML Hand Gesture Recognition
Part 19: Winston Wk 10 | Codeblocks, Decorators, and More!
Part 20: Winston Wk 10 | First Neural Network
Part 21: Winston Wk 11
Part 22: 19/09/2023 - Transition & Editing
Part 23: This Article

Diff

Morgan’s Blog

Sam’s Blog

GitHub Repository - Winston - All parts of the project are linked through submodules

Bug fixing #

Last week I was doing some testing of Winstogram to find things that may need to be fixed or errors that may pop up. I got one of my classmates to try to create a post and edit it, and then test deletion of the post as well. The issue they ran into had to do with being locked out of doing that. The previous posts on Winstogram have shown the implementation of the editing and deletion features of posts as well as a revamped saving feature (which can still only save to one collection, and you can’t unsave it).

The issue I found, was that the requests were going through but it wasn’t acting on it. I found that it had to do with the check done in the api. It was a very small part of the code, and this was something that had flown under the radar for a little bit.

The code that was blocking the editing and deletion of posts was the one which normally checks if a user is deleting their own post, otherwise it will not allow the request to go through. It looked like this previously:

if not (current_user.admin or current_user.id != tables[table_name].query.get(entry_id).user_id):
    return jsonify(response="Unauthorized", status='error'), 401

This was meant to check if the user is an admin or if the user owns the post. It checks if the user is an admin or doesn’t own the post, and then it performs a NOT on both of them. This means that if it was tested by someone and they were to try and delete a post, it would say they own the post, therefore with the current_user.id != tables..., the statement would evaluate to false, and therefore the not would kick in and disallow any changes, assuming that the post wasn’t owned by the user. To fix this, I just needed to change the != into a ==. The final code to fix this looked like this:

if not (current_user.admin or current_user.id == tables[table_name].query.get(entry_id).user_id):
    return jsonify(response="Unauthorized", status='error'), 401

The issue with the code, besides it not working, was the fact that this was actually a vulnerability. It meant that anyone could delete or update anyone’s posts by making an http request. Now that the cookies are being checked for the user with a session id, we are able to say that the request must come from the user, and they must either own the post or be an admin in order to affect the post, otherwise it will not be allowed.

WINSTON - This article is part of a series.
Part 1: Time to get started on W.I.N.S.T.O.N. (Data)
Part 2: Time to get started on W.I.N.S.T.O.N. (Web)
Part 3: Winston Wk 1 | Blender Python Library & issues with Conda
Part 4: Winston Wk 1 | Data Formatting Plans
Part 5: Winston Wk 2 | Blender Python Library, Creating Objects and Meshes
Part 6: Winston Wk 2 | The start of Winstogram
Part 7: Winston Wk 3 | Methods of Data Visualisation
Part 8: Winston Wk 3 | Database Setup
Part 9: Winston Wk 4 | ASCII Works. Creating a Mesh from a Point Cloud?
Part 10: Winston Wk 4 | Winstogram Lives! Admin also..
Part 11: Winston Wk 5 | The BALL PIVOTING ALGORITHM
Part 12: Winston Wk 5 | Update looks and collections!
Part 13: Winston Wk 6 | Live Data Feed
Part 14: Winston Wk 6 | API Implementation
Part 15: Winston Wk 7 | API & Inifinite Scroll
Part 16: Winston Wk 8 | Update Looks and Forgot Password
Part 17: Winston Wk 9 | Comments and Testing
Part 18: Winston Wk 10 | ML Hand Gesture Recognition
Part 19: Winston Wk 10 | Codeblocks, Decorators, and More!
Part 20: Winston Wk 10 | First Neural Network
Part 21: Winston Wk 11
Part 22: 19/09/2023 - Transition & Editing
Part 23: This Article