User A creates simple event -> event shows up in the requested events page (as not approved)
User B logs in and performs a POST against User A's event route (/events/3/approve) -> event is now approved
It seems that there are no security checks on the approve/reject actions.
Since the POST cannot be performed via the UI as the page is not accessible to User B this is rather low prio at the moment
Reproduction:
It seems that there are no security checks on the approve/reject actions. Since the POST cannot be performed via the UI as the page is not accessible to User B this is rather low prio at the moment
Prio medium..