Restrict access to delete?

It appears that any user that has authenticated can call delete on any other user.

Should this be restricted such that a user can only delete themselves or certain people?

Lines 143 to 157 in 89e2ae4

    
           @require_oauth() 
        
           def delete(self, id: str = None): 
        
               if id is None: 
        
                   return self.response_handler.method_not_allowed_response() 
        
               try: 
        
                   user = User.query.filter_by(id=id).first() 
        
                   if user: 
        
                       user_obj = self.user_schema.dump(user).data 
        
                       db.session.delete(user) 
        
                       db.session.commit() 
        
                       return self.response_handler.successful_delete_response('User', id, user_obj) 
        
                   else: 
        
                       return self.response_handler.not_found_response(id) 
        
               except Exception: 
        
                   return self.response_handler.not_found_response(id)

As an attacker, I would write a script that would iterate through potential user ids.

	@require_oauth()
	def delete(self, id: str = None):
	if id is None:
	return self.response_handler.method_not_allowed_response()
	try:
	user = User.query.filter_by(id=id).first()
	if user:
	user_obj = self.user_schema.dump(user).data
	db.session.delete(user)
	db.session.commit()
	return self.response_handler.successful_delete_response('User', id, user_obj)
	else:
	return self.response_handler.not_found_response(id)
	except Exception:
	return self.response_handler.not_found_response(id)