[sorpaas]

Sorry I'm a bit late.

No. It's not possible to guess someone else's article (I guess you probably mean reading records here). Those reading records must be get or set with a cookie that indicate the user has logged in with the right account (which is done by ajax in the code).

[kerridge0]

It looks to me that the url that calls queries_read_records.like_article() only requires a logged in user and a record id in order to set a read record as liked? Are you saying that is not possible to guess the id because it's not a sequential number by default in mongodb?

[sorpaas]

The article id is public (they are public on the Internet anyway). But it's not possible (at least as designed) to access any user-specific information if not logged in.

[kerridge0]

I'm not talking about an information leak I'm talking about a potential denial of liking attack ☺