mcgibbon
commented
4 years ago I'll point out that there is no information leak here - any normal user is able to view the list of questions. Any sensitive data is still protected by the backend layer. If this is hard to do, it's not very high priority.
You are able to reach the admin directory(/app/admin) when you are not one. I cannot edit any of the questions or view roles and lists. Any normal user should get an HTTP 403 forbidden URL or just be redirected back to the app/apply.