Description
It was found that if a user is not having access to the requested items module, a normal user with no access can still access and view the requested content.
It is a more detailed explanation of the given report where it was marked as invalid :
https://huntr.dev/bounties/783cfb0c-7e4d-4fdd-86c6-bd92743aee41/
Proof of Concept
- Create two users, one admin and one normal user(Only give view accessories access to the normal user)
- In the screenshot, you can see the normal user is not having access to the requested module.
- But with forced browsing, we can clearly see that the normal user can access the requested module.
Screenshots
Accessories view permission to normal user
![alt text](https://raw.githubusercontent.com/shubh123-tri/images/main/Accessroies_permission.JPG)
![alt text](https://raw.githubusercontent.com/shubh123-tri/images/main/normal_user_accessories.png)
Normal user view requested items
![alt text](https://raw.githubusercontent.com/shubh123-tri/images/main/normal_user_accessories_2.png)
Impact
This vulnerability will help an attacker view restricted content.