geoffturk opened this issue 4 years ago · 3 comments
A user is currently able to add a favorite to an entity not controlled by him. We need to check the user is linked to the entity where the favorite is being added. If not, return a 403 error.
@LIYINGZHEN Please resolve in #115
This should be a seperate PR.
If you prefer. Can you do it before you finish the logging PR then? Or right after?