security-setup #3
No reviewers
Labels
No Label
Documentation
Infrastructure
Redaktions-App
User-App
backend
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Effort
High
Effort
Low
Effort
Medium
Prio
High
Prio
Low
Prio
Medium
Type
Bug
Type
Feature
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: NB-Public/kandimat#3
Loading…
Reference in New Issue
No description provided.
Delete Branch "refs/pull/3/head"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Introduce basic security.
There are four roles:
Their respective permissions are summarized in security considerations.
The setup basically follows these guides:
How to test
There are a lot of possibilities that should be tested. They all resolve around acting like one of the four roles and trying to do things (However, in the current state, there is not much difference between user and Anonym except for the possibility to log in).
Pose as a member of one of the roles
To pose as one of the three roles use the grphiql interface and authenticate as
erika@musterman.de
(ditor)max@mustermann.de
(candidate)happy@user.de
(normal user)The password is always "password".
Use following graphQL Query:
Variables:
The jwtToken in the respone has to be added to the headers in the following way:
Penetrate the security setup
Creating questions
Should only be possible as "editor". Use the following mutation:
with the variables
Creating categories
Should only be possible as "editor".
Mutation:
Variables
Creating answers
Should only be possible as "candidate". Also the
personId
needs to be2
(the id of Max Mustermann). It should be impossible for a candidate to pose as a different candidate when answering a question.Mutation:
Variables
Also change the
personId
to see that the candidate can only answer for themself.Updating, Deleting
In principle they should be tested, too. However, for a manual test the creation should be enough for now since the security configurations in postgres are always done for inser, update and delete together.
For now make it possible for the anonymous user to see everything in answers, question category and user.