Can star private segments without view_private scope

danshannon / javastravav3api

Strava API v3 implementation written in Java v8

http://danshannon.github.io/javastravav3api/

81 stars 44 forks source link

Open danshannon opened 7 years ago

danshannon commented 7 years ago

Using a token which does NOT have view_private scope

PUT https://www.strava.com/api/v3/segments/1190741/starred?starred=true

Returns 200 OK and a detailed representation of the segment

The segment is flagged as private and therefore should not be visible at all. Strava should return a 401 Unauthorized

danshannon commented 7 years ago

Same issue with:

HTTP PUT https://www.strava.com/api/v3/segments/8857183/starred?starred=true

Ignores the fact that the segment is flagged as private (and in this case belongs to another user