Restrict access to delete?
Opened this issue · 0 comments
mkonda commented
It appears that any user that has authenticated can call delete on any other user.
Should this be restricted such that a user can only delete themselves or certain people?
authserver/authserver/api/user.py
Lines 143 to 157 in 89e2ae4
As an attacker, I would write a script that would iterate through potential user ids.