VULNERABILITY: every authenticated user can delete every post
bpavuk opened this issue · 0 comments
bpavuk commented
Testing protocol
Created post as test1 user, tried to delete test1's post as test2
Result
Deletion was successful
Expected result
Unsuccessful try of deletion
Possible solution
Request user for its ID, and if post's author ID is not equal to user's ID send appropriate response (Unauthorized)