I suppose this might not be a “bug”, but it is a serious issue.
Last night I started playing with the REST API, making calls against a non-public forum. I found that once I had the API key from Discourse I needed a username to make any call - which makes sense since the forum is private.
But I found that I can use any username from any user and it works. So once someone has the API key they can impersonate any user in the forum? No need to authenticate that user’s credentials - all you need to know is their username.
Is this not a major gaping security hole?