-
Don't display the `is_admin?` flag for user API responses. · 34b71e73Timothy Andrew authored
- To prevent an attacker from enumerating the `/users` API to get a list of all the admins. - Display the `is_admin?` flag wherever we display the `private_token` - at the moment, there are two instances: - When an admin uses `sudo` to view the `/user` endpoint - When logging in using the `/session` endpoint
34b71e73
| Name |
Last commit
|
Last update |
|---|---|---|
| .. | ||
| login.json | Loading commit data... | |
| public.json | Loading commit data... |