Closed wiggin77 closed 4 months ago
@wiggin77 I think you might need to update the docs here https://developers.mattermost.com/integrate/plugins/components/server/best-practices/ as that seems to recommend this as the way of checking who the requesting user is.
Sorry @grundleborg, my mistake. I didn't know about the magic done in mmserver to set that header for the incoming request.
Currently the code checks for a HTTP header
Mattermost-User-ID
. The permissions for that userID are checked to ensure they are an admin. However, anyone can create a request with the userID of an admin and use the APIs.The requester should be logged in and the permissions should be checked against the userID from the session.