Get the role id of user "admin". We can send such request to the server. The request is without cookie or token, aka it is unauthorized. If the user's id is not 1, we can guess it with brute force. As shown in the picture, we get the role id 1677.
Create a new user with "admin" role. We can send such request to the server. The request is without cookie or token, aka it is unauthorized.
Log on the new user with password. We logged on with an admin role.
Expected Results
Unauthorized users should not get user's detail info and should not create a new user.
Actual Results
Unauthorized users get user's detail info and create a new user. The created user logs successfully.
[Y ] 我已经在 issues 搜索过相关问题了,并没有重复的。
你是否希望来认领这个Bug。
Env
Steps to reproduce this issue
Create a new user with "admin" role. We can send such request to the server. The request is without cookie or token, aka it is unauthorized.
Log on the new user with password. We logged on with an admin role.
Expected Results
Unauthorized users should not get user's detail info and should not create a new user.
Actual Results
Unauthorized users get user's detail info and create a new user. The created user logs successfully.