AnsweredAssumed Answered

Why can an authenticated student return information about other users from the API?

Question asked by chrishawl on Jun 27, 2018
Latest reply on Oct 17, 2018 by chrishawl

I'm hitting this endpoint, /learn/api/public/v1/users/, with a bearer token obtained via the OAuth code flow. The token is for a student user. However, when I hit this endpoint the information returns pertaisn to other users in the system whom from a security perspective I would not expect a student to be able to see. Surely it is a massive oversight for a student user to be able to see the personal information of other users?

Outcomes