Settings are accessible to anonymous users

[brylie]

Our Settings are published to the client, even for anonymous users, and include the following fields:

• apiUmbrella
  • authToken
  • apiKey
  • baseUrl
• elasticsearch url

These settings can be abused, so should be handled more carefully.

Steps to reproduce

1. visit the home page as an anonymous user
2. open the browser console
3. search the Settings collection for a single document

[bajiat]

@brylie Has this been resolved already?

[brylie]

@bajiat, we are publishing all settings to anonymous users.

This needs to be changed in at least the following code:

• /core/client/navbar/navbar.js#L18
• /home/client/body/homeBody.js#L6

We need to revoke the credentials currently used in production.

[bajiat]

This requires an urgent hotfix to master and making a release to master.

2016-10-27 10:50 GMT+03:00 Brylie Christopher Oxley <
notifications@github.com>:

It looks like we are publishing all settings to anonymous users.

[image: screenshot_20161027_104814]
https://cloud.githubusercontent.com/assets/17307/19758912/33b804bc-9c33-11e6-94fc-d15d6bd15026.png

We need to fix this issue and revoke the credentials currently used in
production.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#1412 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ALFnlPeBmOB-TlouB8DCID1K8HzcNmtJks5q4FfhgaJpZM4JoaSF
.

---

Taija Björklund
p. 040 5177 969
taija.bjorklund@gmail.com
www.linkedin.com/in/taijabjorklund