Currently there is no validation that the user editing a subscription is the owner. only that a user is logged in.
Anyone can follow and update a subscription just by giving an id.
Need to validate the user editing and updating the subscription is the owner.
eg: /Identity/Account/Manage/Subscriptions/Edit?id=50
Currently there is no validation that the user editing a subscription is the owner. only that a user is logged in. Anyone can follow and update a subscription just by giving an id. Need to validate the user editing and updating the subscription is the owner. eg: /Identity/Account/Manage/Subscriptions/Edit?id=50