From 14a9f038c97ba3ec6afeeeb787d934736cdc39e2 Mon Sep 17 00:00:00 2001
From: ShanuWije <46207432+ShanuWije@users.noreply.github.com>
Date: Sat, 15 May 2021 15:42:02 +0530
Subject: [PATCH 1/3] Adding authentication to list and count methods

As part of the master of information security bug bounty assignment have identified that these endpoints needs to be secured. Otherwise any one can list the users and get the count without login in
---
 flask-backend/api/routes/user.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/flask-backend/api/routes/user.py b/flask-backend/api/routes/user.py
index ffd952a..4154acc 100644
--- a/flask-backend/api/routes/user.py
+++ b/flask-backend/api/routes/user.py
@@ -64,11 +64,13 @@ def getUser(id):
                     'users': result})
 
 @user.route('/count', methods=["GET"])
+@login_required
 def count():
     return jsonify({'status':200,
                     'total_users':User.query.count()})
 
 @user.route('/list', methods=["GET"])
+@login_required
 def list():
     all_users = User.query.order_by(User.timestamp).all()
     result = users_schema.dump(all_users)

From 66e296256b3ce813f5be65197beed25b39c8ccdf Mon Sep 17 00:00:00 2001
From: unknown <wije.shanu58@protonmail.com>
Date: Sat, 15 May 2021 15:54:01 +0530
Subject: [PATCH 2/3] Added check to ensure only admin can delete users

---
 flask-backend/api/routes/user.py | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/flask-backend/api/routes/user.py b/flask-backend/api/routes/user.py
index 4154acc..dfc2ab9 100644
--- a/flask-backend/api/routes/user.py
+++ b/flask-backend/api/routes/user.py
@@ -191,14 +191,16 @@ def roleupdate():
 @user.route('/delete', methods=['POST'])
 @login_required
 def deleteuser():
-    # Check if email is provided or not
-    try:
-        req = request.get_json()
-        email = str(req['email'])
-    except:
-        return 'please provide email', 400
+    if current_user.role == 'adimn':
+        # Check if email is provided or not
+        try:
+            req = request.get_json()
+            email = str(req['email'])
+        except:
+            return 'please provide email', 400
 
-    user = User.query.filter_by(email=email).first()
-    db.session.delete(user)
-    db.session.commit()
-    return 'user deleted', 202
+        user = User.query.filter_by(email=email).first()
+        db.session.delete(user)
+        db.session.commit()
+        return 'user deleted', 202
+    return 'You are not an admin.', 409

From 55527de8c8caa1aa5e2fb34acd25bbc3e08ed0c2 Mon Sep 17 00:00:00 2001
From: unknown <wije.shanu58@protonmail.com>
Date: Sat, 15 May 2021 16:03:50 +0530
Subject: [PATCH 3/3] getUser by id endpoints needs to be authenticated since
 this can be used to enumerate all the users in the database without login in

---
 flask-backend/api/routes/user.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/flask-backend/api/routes/user.py b/flask-backend/api/routes/user.py
index dfc2ab9..3c1cdd0 100644
--- a/flask-backend/api/routes/user.py
+++ b/flask-backend/api/routes/user.py
@@ -37,6 +37,7 @@ def profile():
 
 
 @user.route('/getUser/<id>', methods=["GET"])
+@login_required
 def getUser(id):
     user = User.query.filter_by(id=id).first()