Previous challenge Home
The vulnerability is Missing Authorization
csharp
public class UserController : ApiController
{
    // GET api/user/5
    [HttpGet]
    public IHttpActionResult GetUser(int id)
    {
        User user = Database.GetUserById(id);
        if (user != null)
        {
            return Ok(user);
        }
        return NotFound();
    }
}
1. Add the `[Authorize]` attribute on the UserController class to enable the authorization check for all the actions within the controller. 2. Check if the User.Identity.Name (the authenticated user's username) is the same as the username of the requested user (user.Username). This ensures that only the authenticated user can access their own information.
csharp
[Authorize] // Add this attribute to enable authorization
public class UserController : ApiController
{
    // GET api/user/5
    [HttpGet]
    public IHttpActionResult GetUser(int id)
    {
        User user = Database.GetUserById(id);

        // Ensure that the user requesting the data is the same as the data requested
        if (user != null && User.Identity.Name == user.Username)
        {
            return Ok(user);
        }
        return NotFound();
    }
}