Open
Description
Describe the bug
Security failure: Any user of the system can access any information from other users and institutions using the backend route /api/key with the key of the desired entity.
To Reproduce
Steps to reproduce the behavior:
- logging in the application with any user, even if it is not active
- Get key from any entity
- Send request to
BACKEND_URL/api/key/entity-keyusing the user auth token
Expected behavior
Prevent a user from accessing restricted information.