This repository has been archived by the owner on Jul 24, 2021. It is now read-only.
wrong endpoint used for editing another user #303
Labels
bug
Something isn't working
Comments
karenetheridge
changed the title
|
This is a pretty serious issue. I just tried to fix a typo I spotted in someone's username and email address, and it changed my data instead (including changing my password and stripping my admin flag)... if I had logged out, I would no longer be able to log in using my original email, and if someone reset my password for me, those credentials would be mailed to the other person instead. I had to fix my data by going into the database directly. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
When editing another user (say, changing their email or name), the api endpoint being submitted to is
POST /user/me, not the correct endpoint for the specific user. The result is a 409 conflict because the logged in user's info is being set to someone else's data, causing a "duplicate user found" error.The text was updated successfully, but these errors were encountered: