After using api key to access api enpoint like https://my.site/api/showmethemoney?api-key=_D987sgQVVmdk92hx5X8aN (this page is a view actually) I become logged in as admin, so I can access any page of the site including https://my.site/admin.
This is an issue to me, because I've shared the link to the api with several people, hence all of them can access the site as admin, but they should be not able to do that.
1. As anonymous user open some api page using api key in url, e.g: https://my.site/api/hereyouare?api-key=_D987sgQVVmdk92hx5X8aN
2. Now you can access any page on the site, e.g: https://my.site/admin/config/development/performance
So what can I do to make it not possible to log in to the site (become authenticated) by just using api key?
Closed: outdated
1.3
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.