15

The whole app was a shitshow...
- Cancel order as a post request (the same post request used to save the order).
I demoed the client how with a couple of lines of code I could change his "Cancel order" button to "Mark my order as payed" button....
- List orders method took an user id as input...
- Update profile did not care about wich properties you should be able to change as a non admin...
And so on...

Comments
  • 1
    It's not a security bug if there's no security to begin with. It's intended behaviour.
Add Comment