It appears the get-recent-fats-by-character endpoint has no check that you are authorized to view a characters Fat Links. As long as you are logged in, you can view any characters Fat links by supplying their EVE character id in the URL
Steps to Reproduce
Steps to reproduce the behavior:
Log into AllianceAuth.
Navigate to www.example.com/fleet-activity-tracking/ajax/dashboard/get-recent-fats-by-character/{not-your-character-id} Replace {not-your-character-id} with a character ID your account is not authorized to view & replace www.example.com with your local instance of alliance auth.
See the returned JSON
Expected behavior
You should not be able to see FatLinks for characters you are not authorized to view.
Please complete the following information:
App Version: 3.0.1
Alliance Auth Version: 4.1.0
Browser and Version: N/A, the exploit works with any browser, Curl, etc..
Bug Description
It appears the get-recent-fats-by-character endpoint has no check that you are authorized to view a characters Fat Links. As long as you are logged in, you can view any characters Fat links by supplying their EVE character id in the URL
Steps to Reproduce
Steps to reproduce the behavior:
Expected behavior
You should not be able to see FatLinks for characters you are not authorized to view.
Please complete the following information: