engerernoah
commented
4 years ago Closed with OC Revision: 26190
NOT ALLOWING USERS TO RETRIEVE USER PREFERENCES OF OTHER USERS - Updating the UserPreferences endpoint to match the name variable passed in on the path to the user login name based on the session ticket before retrieving preferences. If these do not match we throw an OCForbiddenRuntimeException. Users can now only access their own user preferences.
GH Issue: https://github.com/tsgrp/HPI/issues/2295
CR: aking, rsaladrigas
It is currently possible to access the user preferences for users different than the logged in user. Users should only be able to view their user preferences based on the session ticket. Users should be forbidden from accessing other user's preferences. The solution for this issue is to check the passed in path variable for the username to the user login name based on the session ticket and to only retrieve preferences if the names match.