Though it works by matching user_id , it is wrong behavior
Say I want to change your password with my token
if I do
POST /v3/users/<your_user_id> with my token, it will think you as the owner.
I will expect 401 Authz error, but I believe I will get password doesn't match since I may not be knowing your original password which is part of POST request body.
Though it works by matching user_id , it is wrong behavior
Say I want to change your password with my token
if I do
POST /v3/users/ <your_user_ id> with my token, it will think you as the owner.
I will expect 401 Authz error, but I believe I will get password doesn't match since I may not be knowing your original password which is part of POST request body.
I will confirm this and update the bug details.