1.3 KiB
1.3 KiB
Basic security
Testing the security of the backend is substantial for obvious reasons. Write automated penetration tests. There should be testcases for
table | editor | candidate | user(v) | user | other |
---|---|---|---|---|---|
person | sdU | sDU | sDU | ||
account | S | S | S | S | |
answer | s | sDUI | s | ||
question | sdui | s | s | ||
categories | sdui | s | s |
function | editor | candidate | user(v) | user | other |
---|---|---|---|---|---|
register | E | ||||
authenticate | E | E | E | E | |
change pw | E | E | E | ||
change role | e |
where
- s: select
- d: delete
- u: update
- i: insert
- e: execute
An uppercase version of the above letters means that the operation is only possible on rows directly related to the user id, e.g. a candidate can only delete, update and insert the own answer(s).
Passwords
DO NOT LOG THE PASSWORDS postgres logging conf may need adoption to NOT log passwords in plain text.