Akira1906
commented
4 months ago this is also a data integirty issue since an attacker can create a new chatroom and add the same user_id 1000 times as member of that chatroom. This problem should be fixed by using Data Validation later on.
There is no authentication, authorization, non-repudiation for post requests.
Anybody can create a chatroom and choose the owner freely. Anybody can create a chatroom and choose anybody as member. Anybody can add a new message to a chatroom and freely choose the sender_id of the message.
An attacker just has to do an appropriate post request.