Project

General

Profile

Actions

Defect #11870

closed

Users can delete their own accounts unconditionally via REST API

Added by Enrique Castilla Contreras about 12 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
REST API
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

On Users collection, an administrator may delete its own account on Redmine, making it unusable.

Doing exploratory testing tasks with API REST I've accidentally deleted my own user on http://ecastillac.m.redmine.org, making the server unusable for me.

I've tried this script, provided Admin user had id=2 as shown in a previous execution:

#!/usr/bin/perl -w

use strict;
use warnings;

our ($VERSION) = '0.01'; # q$Revision$ =~ /(\d+)/;

use Test::More;
use Data::Dump;

# --------------------------------------------------

use Redmine::API;

my($API_Key, $BASE_URL) = do 'config';

my $api = Redmine::API->new( auth_key => $API_Key
                           , base_url => $BASE_URL
                           , trace => $ARGV[0] || 0);

my($res, $res1);

# -------------------------------------------------

#$res = $api->users->x->all();
#ddx $res->body;

$res1 = $api->users->user->del( 2 );
ddx $res1->body;


Files

fix-11870.patch (1.46 KB) fix-11870.patch Mizuki ISHIKAWA, 2020-06-25 08:49
fix-11870-v2.patch (3.54 KB) fix-11870-v2.patch Mizuki ISHIKAWA, 2020-07-02 06:05
fix-11870-v3.patch (1.54 KB) fix-11870-v3.patch vzvu 3k6k, 2020-07-14 17:57
Actions

Also available in: Atom PDF