|
Our "full stack" dev loves over complication, using absolutely every new feature in a language, and uses buzzwords constantly. Loves to talk about patterns, using reflection, abstraction, etc. for what is essentially really simple CRUD stuff.
Unfortunately, he's totally ignorant on security, doesn't really understand how HTTP works with status codes and content types, has no clue on anything system administration/configuration related, doesn't comment his code, insists on using "common shared code" for things like DB connections but he doesn't document their use or provide examples, and often breaks other code when he tweaks them with updates. He also drives a Mustang.
I've found a few exploitable bugs in just one part of our ERP system due to unnecessary use of hidden inputs on a web page that are then trusted on submission (ie, entire record is updated, not just fields that the user is allowed to edit). At least a user can only edit their own stuff, but fields that shouldn't be editable (ie, college provided primary email address) can be with the simple use of Chrome's dev tools debugger/inspector.
|