`create_token_perm` permission might be a vulnerability

JohnTheCoolingFan / sayless

A link shortening service

MIT License

0 stars 0 forks source link

Closed JohnTheCoolingFan closed 1 year ago

JohnTheCoolingFan commented 1 year ago

This permission allows creating tokens with any other permissions.

Possible solutions:

Remove the permission entirely, use master token or admin permission instead.
Only allow creating tokens with permissions that are enabled for the token that created it.

JohnTheCoolingFan commented 1 year ago

Removed the permission entirely