You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
If you're authenticated and have the collection id for another user's collection, you can still access that collection by entering the correct URL.
This violates an expectation of privacy that needs to be fixed. Collections should only be accessible via a URL when marked as Shareable. This will require needing to add some field in the db to mark a collection as shareable, and we'll need to add a UI element in a collection page to toggle whether or not a collection is shareable. But it's important that a Collection be inaccessible even with the correct URL in order to maintain privacy, and only when a user explicitly decides to share a collection should it be accessible via a URL.
To Reproduce
Steps to reproduce the behavior:
Run the app locally
Login as user A
Create a collection
Copy the URL and log out
Login as user B
Paste the URL and user A's collection will load. This should not happen.
Expected behavior
A page saying that you don't have permission to access this collection should be displayed.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
OS: MacOS
Browser: Chrome
Version: 102.0
The text was updated successfully, but these errors were encountered:
Describe the bug
If you're authenticated and have the collection id for another user's collection, you can still access that collection by entering the correct URL.
This violates an expectation of privacy that needs to be fixed. Collections should only be accessible via a URL when marked as Shareable. This will require needing to add some field in the db to mark a collection as shareable, and we'll need to add a UI element in a collection page to toggle whether or not a collection is shareable. But it's important that a Collection be inaccessible even with the correct URL in order to maintain privacy, and only when a user explicitly decides to share a collection should it be accessible via a URL.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A page saying that you don't have permission to access this collection should be displayed.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: