1. 25 Apr, 2017 1 commit
    • Timothy Andrew's avatar
      Don't display the `is_admin?` flag for user API responses. · 34b71e73
      Timothy Andrew authored
      - To prevent an attacker from enumerating the `/users` API to get a list of all
        the admins.
      
      - Display the `is_admin?` flag wherever we display the `private_token` - at the
        moment, there are two instances:
      
        - When an admin uses `sudo` to view the `/user` endpoint
        - When logging in using the `/session` endpoint
      34b71e73
  2. 21 Apr, 2017 2 commits
  3. 20 Apr, 2017 37 commits