[PUT] /users/{userid}/profile-picture Security issue

ghosts-network / gateway

RESTful public API for GhostNetwork education project

1 stars 5 forks source link

[PUT] /users/{userid}/profile-picture Security issue #40

Closed volodymyr-borodin closed 2 years ago

volodymyr-borodin commented 3 years ago

There is [PUT] /users/{userid}/profile-picture endpoint that allows to set profile picture for profile As this endpoint has userid as input it will be better to restrict use it only for user itselfs

Solution If userid != current user id return 403 status code