Hi everyone!
I have a general API question here.
So, the way I understand the approach, there are two layers of data access protection with Strapi – the roles and the JWT token.
Let’s say I’m a user, was able to log in, so therefore able to see my JWT token via the browser headers. What if I do a:
GET /profiles
(where profiles
is connected to the users
table) and attach my JWT token. I will be able to see everything on the profiles
table, correct? Isn’t that considered a security issue? A user can browse through the records that are assigned to other users using the token that is only assigned to a particular user?