Sharing the url for my character sheet gives people a link to a page that allows them to edit my character sheet (bypasing auth). To be clear, the website checks if you are logged in, but once you are logged in, you are allowed to edit ANY sheet you have a link to, not just your own.
Sharing the url for my character sheet gives people a link to a page that allows them to edit my character sheet (bypasing auth). To be clear, the website checks if you are logged in, but once you are logged in, you are allowed to edit ANY sheet you have a link to, not just your own.
This is seems like a security flaw.