-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Autoriser l'accès à Pix Junior seulement si une session est active #9456
Merged
pix-service-auto-merge
merged 3 commits into
dev
from
pix-12727-add-session-verification-for-all-PixJunior-route
Jul 8, 2024
Merged
[FEATURE] Autoriser l'accès à Pix Junior seulement si une session est active #9456
pix-service-auto-merge
merged 3 commits into
dev
from
pix-12727-add-session-verification-for-all-PixJunior-route
Jul 8, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Une fois les applications déployées, elles seront accessibles via les liens suivants :
Les variables d'environnement seront accessibles via les liens suivants : |
4c6b77c
to
f0c1377
Compare
HEYGUL
reviewed
Jul 7, 2024
api/src/school/application/usecases/is-school-session-active.js
Outdated
Show resolved
Hide resolved
HEYGUL
reviewed
Jul 7, 2024
api/tests/school/unit/application/usecases/is-school-session-active_test.js
Outdated
Show resolved
Hide resolved
442abdb
to
86822ae
Compare
theotime2005
reviewed
Jul 8, 2024
api/src/school/application/usecases/is-school-session-active.js
Outdated
Show resolved
Hide resolved
api/tests/school/integration/infrastructure/repositories/school-repository_test.js
Outdated
Show resolved
Hide resolved
86822ae
to
3967d93
Compare
theotime2005
approved these changes
Jul 8, 2024
yaelle6
approved these changes
Jul 8, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
review tech et front en mob
3967d93
to
025ef04
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🦄 Problème
Pix Junior est accessible sans authentification et donne accès à la liste des élèves, importés dans une école, à partir d'un simple code école.
Ce code école peut être attaqué en force brute dans l'application.
🤖 Proposition
Pour limiter la surface d'attaque de ce code, celui-ci ne sera rendu utilisable qu'à condition qu'une session ait été ouverte par l'enseignant.
Cette PR a pour objectif d'empêcher l'accès à Pix Junior lorsqu'il n'y a pas de session active pour l'école.
🌈 Remarques
L'API doit se comporter de la même manière lorsqu'on lui fournit un code école erroné, ou un code école où aucune session n'est ouverte. Ceci pour ne pas donner d'information sur la validité du code école.
💯 Pour tester
Sur la page de saisie du code école de Pix Junior :