• Timothy Andrew's avatar
    Don't display the `is_admin?` flag for user API responses. · 34b71e73
    Timothy Andrew authored
    - To prevent an attacker from enumerating the `/users` API to get a list of all
      the admins.
    - Display the `is_admin?` flag wherever we display the `private_token` - at the
      moment, there are two instances:
      - When an admin uses `sudo` to view the `/user` endpoint
      - When logging in using the `/session` endpoint
session.rb 788 Bytes