kyungmi
commented
8 years ago @sangjin3 I looked into the user-manager.js source. But checkAuthorize() seems be done with the req.user.uid, not req.query.uid.
Could you explain more about this?
Closed sangjin3 closed 8 years ago
kyungmi
commented
8 years ago @sangjin3 I looked into the user-manager.js source. But checkAuthorize() seems be done with the req.user.uid, not req.query.uid.
Could you explain more about this?
sangjin3
commented
8 years ago I mean deleteAccount() implementation, not a checkAuthorize() api. (src/server/auth/lib/user-manager.js:729)
kyungmi
commented
8 years ago Finally it turned out that it has no problem. I'll close this issue.
When deleteAccount() api is called, server currently check an authorization with query.uid But the query.uid is a target to delete, not a target to check authorization. Server should check the user who is requesting the deleteAccount() api have an authority to do it or not.