are accessible to anyone as long as they use ANY existing API token. This allows anyone to access any dashboard members and owners of any organization as long as they have a dashboard id and any existing API token.
Similarly, I tried to access /buckets/{bucketID}/members and /buckets/{bucketID}/owners where I was met with 404.
generate a new API Token (this time for a new organization)
make an API request to list all dashboard members from the dashboard you created in the Organization A
E.g. /api/v2/dashboards/orgADashboardID/members (use the saved dashboard ID)
In the response, you should receive all dashboard members from the dashboard created in Organization A
You can try to add a new member/owner with the Token from the Organization B into the dashboard that belongs to the Organization A, or delete the one member you created.
Both
/dashboards/{dashboardID}/members
and
/dashboards/{dashboardID}/owners
are accessible to anyone as long as they use ANY existing API token. This allows anyone to access any dashboard members and owners of any organization as long as they have a dashboard id and any existing API token.
Similarly, I tried to access
/buckets/{bucketID}/members
and/buckets/{bucketID}/owners
where I was met with 404.Steps to reproduce:
Organization A
Organization B
/api/v2/dashboards/orgADashboardID/members
(use the saved dashboard ID)In the response, you should receive all dashboard members from the dashboard created in Organization A You can try to add a new member/owner with the Token from the Organization B into the dashboard that belongs to the Organization A, or delete the one member you created.