It appears that any user that has authenticated can call delete on any other user.
Should this be restricted such that a user can only delete themselves or certain people?
|
@require_oauth() |
|
def delete(self, id: str = None): |
|
if id is None: |
|
return self.response_handler.method_not_allowed_response() |
|
try: |
|
user = User.query.filter_by(id=id).first() |
|
if user: |
|
user_obj = self.user_schema.dump(user).data |
|
db.session.delete(user) |
|
db.session.commit() |
|
return self.response_handler.successful_delete_response('User', id, user_obj) |
|
else: |
|
return self.response_handler.not_found_response(id) |
|
except Exception: |
|
return self.response_handler.not_found_response(id) |
As an attacker, I would write a script that would iterate through potential user ids.
It appears that any user that has authenticated can call delete on any other user.
Should this be restricted such that a user can only delete themselves or certain people?
authserver/authserver/api/user.py
Lines 143 to 157 in 89e2ae4
As an attacker, I would write a script that would iterate through potential user ids.