security bug

Question

Closed this issue 9 years ago · 2 comments

If a user change username in the account setting page, using firebug for example, can modify the account of other user.

Fix: in the update route use the user from req.session.user instead the req.param('user'),

Answer 1 · 2013-08-14T08:05:30.000Z

is this fixed now ??

Answer 2 · 2013-10-25T01:29:05.000Z

bump Still not fixed... just remove line #80 in account-manager.js