finalize the API - add a check for checking user access rights
Relevant if you:
- use the boxing API (and almost everyone uses it), i.e. you have at least one "user" whose login and hash "shine" somewhere on the site
- take care of your information security
A very important task in terms of data security.
At the moment, boxing does not check what can be given in response to a request, and what cannot!
Situation:
- we passed the login and hash to external developers, so that they embed it on the site and upload leads to our box
- i.e. this API key is ONLY needed for uploading leads
And now the most interesting:
someone somehow miraculously learns / gets / intercepts the login and hash values
goes to the site crm-onebox.com and takes information from the public knowledge base on how to write requests
writes a request to get ALL contacts, ALL processes, DELETE contacts, DELETE processes, etc. and fulfills them
as a result, at one fine moment it may happen that the box will have to be restored from a backup, but by that time the da
Original question is available on version: ru
- use the boxing API (and almost everyone uses it), i.e. you have at least one "user" whose login and hash "shine" somewhere on the site
- take care of your information security
A very important task in terms of data security.
At the moment, boxing does not check what can be given in response to a request, and what cannot!
Situation:
- we passed the login and hash to external developers, so that they embed it on the site and upload leads to our box
- i.e. this API key is ONLY needed for uploading leads
And now the most interesting:
someone somehow miraculously learns / gets / intercepts the login and hash values
goes to the site crm-onebox.com and takes information from the public knowledge base on how to write requests
writes a request to get ALL contacts, ALL processes, DELETE contacts, DELETE processes, etc. and fulfills them
as a result, at one fine moment it may happen that the box will have to be restored from a backup, but by that time the da
Answers:
Please let me know if this task is planned to be completed.
I also inform you that there is no "vote" button on this task.
I also inform you that there is no "vote" button on this task.
28.05.2019, 13:56
Original comment available on version: ru
Alexander, at the moment the author cannot vote for his lots. This was done to make the voting more objective.
02.09.2019, 18:35
Original comment available on version: ru
this issue is relevant. can anyone suggest how it can be implemented?
28.10.2020, 13:59
Original comment available on version: ru
Please join the conversation. If you have something to say - please write a comment. You will need a mobile phone and an SMS code for identification to enter.
Log in and comment
Copyright © OneBox 2024
