I found this small problem, where the client's input for instance isn't verified to actually be listed on the site. This is a problem, as an attacker could put in a fake, randomized instance name and spam the database/bot with frivolous reports. I recommend adding some kind of check that the contact user exists aswell, Or a verification system similar to what's required for add, however, ultimately those would only be minor nuisances to an attacker. Tested locally to work as intended.
I found this small problem, where the client's input for instance isn't verified to actually be listed on the site. This is a problem, as an attacker could put in a fake, randomized instance name and spam the database/bot with frivolous reports. I recommend adding some kind of check that the contact user exists aswell, Or a verification system similar to what's required for add, however, ultimately those would only be minor nuisances to an attacker. Tested locally to work as intended.