• Timothy Andrew's avatar
    Don't display the `is_admin?` flag for user API responses. · 34b71e73
    Timothy Andrew authored
    - To prevent an attacker from enumerating the `/users` API to get a list of all
      the admins.
    
    - Display the `is_admin?` flag wherever we display the `private_token` - at the
      moment, there are two instances:
    
      - When an admin uses `sudo` to view the `/user` endpoint
      - When logging in using the `/session` endpoint
    34b71e73
users.rb 19.1 KB