很多API并没有实际检查是否有权限访问文档 #43
Description
导致内容泄露
Route::get('/project/{id}', [IndexController::class, 'project']);
Route::get('/project/{id}/posts', [IndexController::class, 'posts']);
Route::get('/project/{id}/events', [IndexController::class, 'events']);
Route::post('/project/{id}/search', [ProjectController::class, 'search']);
Route::get('/post/{id}', [IndexController::class, 'post']);
Route::get('/post/{id}/comments', [IndexController::class, 'comments']);
如上,并没有检查是否有权限访问,直接输出了
/project/1
/project/2
/project/3
比如这样访问,内容就出来了,并没有校验用户权限