search

venantius / darg

Kill the status meeting -- an abandoned IDoneThis competitor.
1 stars 0 forks source link

Add authorization logic for `/api/v1/user/:user-id/profile` #176

Closed venantius closed 9 years ago

venantius commented 9 years ago

I would posit that a user shouldn't be allowed to arbitrarily look up any other user, but only a user that they're on the same team as.

Lagoja commented 9 years ago

I believe there was a team check in my original code for this