AnsweredAssumed Answered

Why can an authenticated student return information about other users from the API?

Question asked by chrishawl on Jun 27, 2018
Latest reply on Jun 29, 2018 by jkelley_blackboard

I'm hitting this endpoint, /learn/api/public/v1/users/, with a bearer token obtained via the OAuth code flow. The token is for a student user. However, when I hit this endpoint the information returns pertaisn to other users in the system whom from a security perspective I would not expect a student to be able to see. Surely it is a massive oversight for a student user to be able to see the personal information of other users?

Outcomes