jedmund
commented
11 months ago This was fixed on both the frontend in #385 and in https://github.com/jedmund/hensei-api/pull/136 for the API-side fix to prevent anyone from sending POST requests outside of the URL to change team data. Thank you for this report, since this was a big one.
I was checking that setting a team to unlisted worked before sharing it with someone, and found that the button to change visibility still displays when logged out. And it does actually let you change it successfully too. (And if they change it to private, it switches to the private notice and still lets them change the visibility - since the check on owning a private team only happens upon refreshing).
This button shouldn't display if you're not the owner. (Ideally, the API should also check that requests are coming from the owner.)
Can be tested using my example grid. (Well, tested once.)