While I was playing with newTodo.rb (which is pretty rad) I didn’t know which ID went to which context.

So I created a bunch to context 1 called “one”, context 2 called “two”, context 3 called “three” etc.

So I enumerated all of my contexts and I accidently did “six”.

Now I have this in my db:

INSERT INTO “todos” VALUES(88, 6, NULL, ‘six’, NULL, ‘f’, ‘2006-08-17 18:14:40’, NULL, NULL, 1);
INSERT INTO “todos” VALUES(89, 6, NULL, ‘six-1’, NULL, ‘f’, ‘2006-08-17 18:15:31’, NULL, NULL, 1);

Is there any way to prevent users from stomping on other people’s contexts?

On the other hand, its kind of nice that you COULD add things to other people’s Tracks, HOWEVER the problem is that it will show up in my feed of all actions, but is NOT in my Tracks pages.

And the user that wound up with my NextAction cannot edit or delete it. 

Any ideas?

ah, friend of mine figured it out:

delete from todos where id=88;
delete from todos where id=89;

Now, the problem still remains, users can inject things into the contexts of other users and they cannot manipulate them.

I don’t know if it qualifies as a bug, but it could get nasty.

emory, could you explain what you did in a little more depth. You added actions to each of your contexts via the newTodo.rb script, but added something to context id=6. Did context 6 exist before? If so, which user did you add them as?

bsag - 18 August 2006 05:53 PM

emory, could you explain what you did in a little more depth. You added actions to each of your contexts via the newTodo.rb script, but added something to context id=6. Did context 6 exist before? If so, which user did you add them as?

Okay.

I setup newTodo.rb with my key and I didn’t know what my context IDs were.  So I enumerated them by using the -c flag.

I added a bunch of tasks like this:

newTodo.rb -c 1 “one”
newTodo.rb -c 2 “two”
newTodo.rb -c 3 “three” .. etc

This then created items in my contexts by ID with the title “one” in context id=1, “two” in condext id=2, etc.

The problem is that I didn’t have a context ID 6.

So when I created one with my creditials, they wound up in someone else’s Tracks instance because their “@home” context was id=6.

Now the problem with this is that since Tracks doesn’t validate that my user/token wasn’t allowed to write to id=6 (or shouldn’t be) I couldn’t delete that item, since I don’t see it in the UI, and the user that wound up with it couldn’t delete it because it was created by me.

So I could connect to any public Tracks server, and get an account, and then use newTodo.rb to spam people or inject bogus NextActions into the database for those users.

I could see this being a problem.

Need any more information?

OK, I see the problem now. Yes, that is an issue we should look at.

I’ve committed changes that I believe should fix this.