/cms/active-users
/transactions
This maybe bug or work as it should?
I mean that when I go to those url’s as a member (not superuser) I am able to see this information, shouldnt this be restricted to superuser or a user with access only?
Could be made as intented, not sure what your intention is.
Got it, we will add permissions to these URLs in our next release
reopening, found one more:
/subscriptions/subscriptions/create (this page works, submission is not, but page should also not work for members that have no access)
/subscriptions/products (this page works, shouldnt work)
I suggest you take a look at all the subscriptions endpoints, there are more leaks in it.
you can test by visiting this endpoints with a user inside a role that has no permission to it.
please remove the auto close function, it is not suited because you did not resolve the ticket yet…
Please login or Register to submit your answer