If user has any other role than student, then he is able to see all other users data through forged api request
Closed this issue · 1 comments
rokj commented
MeetPlanBackend/httphandlers/user.go
Line 216 in c2a3d03
rokj commented
Also, any user can make /users/get request to backend where he can see all the users data.
Better than relying on json data in jwt, is to check for proper role of the user in db.