You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently whether the user is an admin is determined by the string name of their role. This is reasonably secure since these are created in Auth0 by the super admin, so it would be very hard for an attacker to somehow mess with that, however, this should Ideally not be done this way because it is certifiably jank ™️.
a better way may be to have the super admin provide the Role ID values from auth0 as an environment variable to be used for comparisons. i.e. there could be env vars such as CLASSCLOCK_SUPERADMIN_ROLE_ID and CLASSCLOCK_SCHOOL_ADMIN_ROLE_ID. This would allow for future UI's to be created for the superadmin to be able to assign admins to schools on their instance and may be required for an open source release
The text was updated successfully, but these errors were encountered:
Currently whether the user is an admin is determined by the string name of their role. This is reasonably secure since these are created in Auth0 by the super admin, so it would be very hard for an attacker to somehow mess with that, however, this should Ideally not be done this way because it is certifiably jank ™️.
a better way may be to have the super admin provide the
Role IDvalues from auth0 as an environment variable to be used for comparisons. i.e. there could be env vars such asCLASSCLOCK_SUPERADMIN_ROLE_IDandCLASSCLOCK_SCHOOL_ADMIN_ROLE_ID. This would allow for future UI's to be created for the superadmin to be able to assign admins to schools on their instance and may be required for an open source releaseThe text was updated successfully, but these errors were encountered: