You think this is funny, but a codebase I once inherited did exactly this. Up until that point in my life, I never imagined I’d ever have such a violent urge to strangle someone.
Bonus: the system had two types of accounts for signups: one for employers and one for employees. Naturally, it would set the role of the created account during the signup process, but the issue was that anyone could submit a signup request with a custom payload and set themselves as the third account type: administrator.
Bonus #2: during a self-update request (avatar change, etc), users were able to change their own IDs in the database.
It was 100% vibe-coded by two imbeciles in two months. We had to rebuild 80% of that codebase.
Pro tip: A lot of websites that don’t let you update certain fields about your profile or other things actually do let you, because it’s a full payload patch on the backend. You just need to modify the fields in dev tools.
Note: I did this on a hotel website to change my email address and then ended up creating a bad scenario where my login account email didn’t match my hotel profile email…they fixed it for me and said, “we aren’t sure what happened”. I didn’t say anything.
You think this is funny, but a codebase I once inherited did exactly this. Up until that point in my life, I never imagined I’d ever have such a violent urge to strangle someone.
Bonus: the system had two types of accounts for signups: one for employers and one for employees. Naturally, it would set the role of the created account during the signup process, but the issue was that anyone could submit a signup request with a custom payload and set themselves as the third account type: administrator.
Bonus #2: during a self-update request (avatar change, etc), users were able to change their own IDs in the database.
It was 100% vibe-coded by two imbeciles in two months. We had to rebuild 80% of that codebase.
People are already inheriting vibe coded codebases?
What is this, a one sentence horror contest?
Definitely! And the reason is obvious.
Pro tip: A lot of websites that don’t let you update certain fields about your profile or other things actually do let you, because it’s a full payload patch on the backend. You just need to modify the fields in dev tools.
Note: I did this on a hotel website to change my email address and then ended up creating a bad scenario where my login account email didn’t match my hotel profile email…they fixed it for me and said, “we aren’t sure what happened”. I didn’t say anything.