Challenge Overview
Challenge Objectives
-
As part of this challenge you need to fix a security issue in the /challenges/:challengeId/resources endpoint.
Project Background
We’re in the process of adding support to store more information about our users as traits in order to improve the overall user experience in our platform.
Technology Stack
-
Java 8
-
Maven 3
-
Docker and Docker Compose
-
DynamoDB
-
AWS
-
ElasticSearch
Code Access
Existing Code: https://github.com/appirio-tech/ap-challenge-microservice
Branches: dev
You will find a self-registration link attached on the forum in case you don’t have access to the repo.
If the self-registration link does not work for you, you can also find the source code attached.
Individual requirements
Currently, any copilot can use the /challenges/:challengeId/resources to get access to a challenge where he/she normally wouldn’t have access.
This is a serious security issue and needs to be fixed.
You need to update the Member Service so only the following roles can call the PUT/DELETE/POST /challenges/:challengeId/resources endpoints:
-
Admins
-
Members who have ‘Copilot’ access to the project
-
Members who have ‘Manager’ access to the project
You need to update existing tests (if there are any) and create positive and negative tests to cover all possible scenarios.
Feel free to ask any questions on the challenge forum!
What to Submit
-
A git patch against the latest commit in the dev branch.
-
A verification document with detailed instructions on how to test your fixes.