35 lines
1.3 KiB
Markdown
35 lines
1.3 KiB
Markdown
|
## Basic security
|
||
|
|
||
|
Testing the security of the backend is substantial for obvious reasons. Write automated penetration tests.
|
||
|
There should be testcases for
|
||
|
|
||
|
|
||
|
| table | editor | candidate | user(v) | user | other |
|
||
|
|------------|--------|-----------|---------|------|-------|
|
||
|
| person | sdU | sDU | sDU | | |
|
||
|
| account | S | S | S | S | | not sure about this
|
||
|
| answer | s | sDUI | s | | |
|
||
|
| question | sdui | s | s | | |
|
||
|
| categories | sdui | s | s | | |
|
||
|
|
||
|
|
||
|
| function | editor | candidate | user(v) | user | other |
|
||
|
|--------------|--------|-----------|---------|------|-------|
|
||
|
| register | | | | | E |
|
||
|
| authenticate | E | E | E | E | |
|
||
|
| change pw | E | E | E | | |
|
||
|
| change role | e | | | | |
|
||
|
|
||
|
where
|
||
|
* s: select
|
||
|
* d: delete
|
||
|
* u: update
|
||
|
* i: insert
|
||
|
* e: execute
|
||
|
|
||
|
An uppercase version of the above letters means that the operation is only possible on rows directly related to the user id, e.g. a candidate can only delete, update and insert the own answer(s).
|
||
|
|
||
|
## Passwords
|
||
|
DO NOT LOG THE PASSWORDS
|
||
|
postgres logging conf may need adoption to NOT log passwords in plain text.
|