Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Check in List Browseable without any Authentication #312

Open
jameskitt616 opened this issue Dec 9, 2024 · 3 comments
Open

🐛 Check in List Browseable without any Authentication #312

jameskitt616 opened this issue Dec 9, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@jameskitt616
Copy link

jameskitt616 commented Dec 9, 2024
edited
Loading

Describe the bug
The Created Checkin Lists are Viewable/Editable without any Verification or Login.
Anybody who knows the URL can just Check-In or Out anybody and view the person's full Name etc.

To Reproduce
Steps to reproduce the behavior:

  1. Create a new Event
  2. Create an Check-In List
  3. Open new Private Tab in Browser
  4. You can see and edit the Check-In List.

Expected behavior
Even with knowing the Link of the Check-In list, it only should be possible to View/Browse/Edit it being Authenticated as Admin or Oraganizer.

Desktop (please complete the following information):

  • OS: Fedora Linux 41
  • Brave Version 1.73.97, Firefox Version 133.0

Hi.Events Version and platform
Docker v0.8.0-beta.6
@jameskitt616 jameskitt616 added the bug Something isn't working label Dec 9, 2024
@daveearley
Copy link
Contributor

Hi @jameskitt616,

This is by design as many event organizers want to quickly share the check-in tool with staff/volunteers without needing to create accounts.

While it may seem insecure, the random ID in the URL (e.g cil_UTQJExyuGhYym) is 13 characters long and includes any alphanumeric characters. The number of combinations possible is 200,028,539,268,669,788,905,472, so it's unlikely anyone will guess the ID.

I hope this explanation puts your mind at ease.

@jameskitt616
Copy link
Author

jameskitt616 commented Dec 10, 2024
edited
Loading

I do understand why this decision was made and why and how valuable this is to some.
But on the other side it also creates a threat to some.
Imagine an event and one person of the staff/volunteers hired are not trustworthy or accidentally leaks/shares the link to someone wrong and now the 'evil actor' decides to go through and just mark everyone as checked in/out. Now you got a huge problem and you cannot stop them from doing this.

I would suggest some middle way:
Add an option to at creation and for editing the Check-In list to enable/disable authentication for the specific list.
This way you could limit access only to 'trusted' people with accounts and still keep this business going on smaller staff and prevent the 'evil person' from sabotaging your business.
I'd also suggest to add some info banner to creation and editing of the Check-In list to warn about this list being publicly accessible for everyone who knows the link, if the authentication option is disabled.

The threat isn't purely on trying to brute-force the random ID for the list.

Also: Thank you very much for the fast response. The tool is absolutely amazing! Keep it up.

@daveearley
Copy link
Contributor

That's a valid point! Currently the only way to disable access is to delete the list, which isn't ideal. I'll try to fir this change into the upcoming v1 release.

Thanks again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@daveearley @jameskitt616