karenetheridge
commented
3 years ago This is a pretty serious issue. I just tried to fix a typo I spotted in someone's username and email address, and it changed my data instead (including changing my password and stripping my admin flag)... if I had logged out, I would no longer be able to log in using my original email, and if someone reset my password for me, those credentials would be mailed to the other person instead.
I had to fix my data by going into the database directly.
When editing another user (say, changing their email or name), the api endpoint being submitted to is
POST /user/me, not the correct endpoint for the specific user. The result is a 409 conflict because the logged in user's info is being set to someone else's data, causing a "duplicate user found" error.