You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Your delete route trusts that any request it receives is valid. Its only protection is that you try not to show users the delete button for posts they do not own.
However this is not the only way to send requests. Someone could easily make their own form that submits a random ID to try to delete posts, or even just use curl in the command line:
curl your-site.herokuapp.com -X POST -d "post-id=3"
You need to make sure you check the session ID from the cookie here, then get the user ID using that and then check that user is the owner of this button.
The text was updated successfully, but these errors were encountered:
Your delete route trusts that any request it receives is valid. Its only protection is that you try not to show users the delete button for posts they do not own.
However this is not the only way to send requests. Someone could easily make their own form that submits a random ID to try to delete posts, or even just use
curlin the command line:You need to make sure you check the session ID from the cookie here, then get the user ID using that and then check that user is the owner of this button.
The text was updated successfully, but these errors were encountered: