User Management Starter allows updating all avatars?
The last two lines of the current User Management Starter:
Would that not allow a malicious user to update someone else's avatar? Is the security through obscurity of the object location/url? Or am I just misunderstanding something? An update doesn't produce a new URL, right? It changes the object at the referenced path so that the referenced avatar_url wouldn't change but the image at the end of the url would?
Would that not allow a malicious user to update someone else's avatar? Is the security through obscurity of the object location/url? Or am I just misunderstanding something? An update doesn't produce a new URL, right? It changes the object at the referenced path so that the referenced avatar_url wouldn't change but the image at the end of the url would?
