angeanto
commented
6 years ago very good bug detection @kmetaxas . Sorry for not checking your PR immediately. There are some conflicts right now in the PR due to other branches that have been merged ( i suppose ) . I am trying to figure this out .
UserUpdate view does not filter on logged in User and lets every logged in User view and update every other User's details by simply changing the PK in the URL
For example if i'm user 10 my edit URL is /users/10/edit but i can simply change it to /users/2/edit and see and update whoever is user with pk 2.
I'll make a PR with a solution (use get_object() in the view, and do not use PK parameter in the URL as it is not needed )