Webfrontend #720

Security audition

Added by Alexander Blum over 5 years ago. Updated over 4 years ago.

Status:NeuStart date:
Priority:NormalDue date:
Assignee:-% Done:


Category:-Estimated time:10.00 h
Target version:Repertoire 4) Production phase I



  • ACLs in
    • form controller
    • api
    • templates
  • usage of oid (and not id) in
    • form controller
    • apis
  • permissions in resources
  • handling of user input
    • in colander (data type, validator)
    • in form controller (where it is passed to tryton)
    • in api (where it is passed to tryton)
  • escaping of (user) data in tryton
  • escaping of (user) data in javascript
  • values of secrets (crsf, password salts, etc)
  • logging of actions, which changes the db


#1 Updated by Alexander Blum about 5 years ago

  • Estimated time set to 10.00

#2 Updated by Alexander Blum over 4 years ago

  • Target version changed from 4) Production phase I to Repertoire 4) Production phase I

#3 Updated by Alexander Blum over 4 years ago

  • Project changed from repertoire to collecting_society

Also available in: Atom PDF