From 14a9f038c97ba3ec6afeeeb787d934736cdc39e2 Mon Sep 17 00:00:00 2001
From: ShanuWije <46207432+ShanuWije@users.noreply.github.com>
Date: Sat, 15 May 2021 15:42:02 +0530
Subject: [PATCH 1/3] Adding authentication to list and count methods

As part of the master of information security bug bounty assignment have identified that these endpoints needs to be secured. Otherwise any one can list the users and get the count without login in
---
 flask-backend/api/routes/user.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/flask-backend/api/routes/user.py b/flask-backend/api/routes/user.py
index ffd952af..4154acc3 100644
--- a/flask-backend/api/routes/user.py
+++ b/flask-backend/api/routes/user.py
@@ -64,11 +64,13 @@ def getUser(id):
                     'users': result})
 
 @user.route('/count', methods=["GET"])
+@login_required
 def count():
     return jsonify({'status':200,
                     'total_users':User.query.count()})
 
 @user.route('/list', methods=["GET"])
+@login_required
 def list():
     all_users = User.query.order_by(User.timestamp).all()
     result = users_schema.dump(all_users)

From 66e296256b3ce813f5be65197beed25b39c8ccdf Mon Sep 17 00:00:00 2001
From: unknown <wije.shanu58@protonmail.com>
Date: Sat, 15 May 2021 15:54:01 +0530
Subject: [PATCH 2/3] Added check to ensure only admin can delete users

---
 flask-backend/api/routes/user.py | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/flask-backend/api/routes/user.py b/flask-backend/api/routes/user.py
index 4154acc3..dfc2ab95 100644
--- a/flask-backend/api/routes/user.py
+++ b/flask-backend/api/routes/user.py
@@ -191,14 +191,16 @@ def roleupdate():
 @user.route('/delete', methods=['POST'])
 @login_required
 def deleteuser():
-    # Check if email is provided or not
-    try:
-        req = request.get_json()
-        email = str(req['email'])
-    except:
-        return 'please provide email', 400
+    if current_user.role == 'adimn':
+        # Check if email is provided or not
+        try:
+            req = request.get_json()
+            email = str(req['email'])
+        except:
+            return 'please provide email', 400
 
-    user = User.query.filter_by(email=email).first()
-    db.session.delete(user)
-    db.session.commit()
-    return 'user deleted', 202
+        user = User.query.filter_by(email=email).first()
+        db.session.delete(user)
+        db.session.commit()
+        return 'user deleted', 202
+    return 'You are not an admin.', 409

From 55527de8c8caa1aa5e2fb34acd25bbc3e08ed0c2 Mon Sep 17 00:00:00 2001
From: unknown <wije.shanu58@protonmail.com>
Date: Sat, 15 May 2021 16:03:50 +0530
Subject: [PATCH 3/3] getUser by id endpoints needs to be authenticated since
 this can be used to enumerate all the users in the database without login in

---
 flask-backend/api/routes/user.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/flask-backend/api/routes/user.py b/flask-backend/api/routes/user.py
index dfc2ab95..3c1cdd0f 100644
--- a/flask-backend/api/routes/user.py
+++ b/flask-backend/api/routes/user.py
@@ -37,6 +37,7 @@ def profile():
 
 
 @user.route('/getUser/<id>', methods=["GET"])
+@login_required
 def getUser(id):
     user = User.query.filter_by(id=id).first()