top | item 8783581

(no title)

kerridge0 | 11 years ago

It looks to me that the url that calls queries_read_records.like_article() only requires a logged in user and a record id in order to set a read record as liked? Are you saying that is not possible to guess the id because it's not a sequential number by default in mongodb?

discuss

sorpaas|11 years ago

The article id is public (they are public on the Internet anyway). But it's not possible (at least as designed) to access any user-specific information if not logged in.

kerridge0|11 years ago

I'm not talking about an information leak I'm talking about a potential denial of liking attack ☺