It seems that without autorisation (loging in) I can use things like get personal user data from any id I enter without logging in.
This means anyone who looks into the game sourcecode and gets the "secret" key can do all kinds of things without even having to sign in it seems.
Am i missing something or is Combu without any security or do i have to turn this on somewhere ?
As even after logging in as a player I would asume that deleting players and other functions are strictly forbidden for a normal player and asking player data would be only allowed for friends of the logged in player. So far it seems that anyone can do about everything as long as they know the url of the server and the "secret" key both of witch can easy gotton out of the game itself.
If someone gets your secret key and understand how to build a correct call to web services then there's really nothing you can do to workaround, though that's also how a RESTful service works (obfuscation is usually a standard for products release, even if you cannot be guaranteed 100%). The API methods to completely manage the Users and almost everything from the client side are there for convenience or requested by community, there's lot of different apps and games around there and we cannot limit the creativity with too many restrictions.
Delete and Change/Reset Password require the current password/code, take a look at the API documentation.
Anyway if you downloaded last update from Asset Store, please download the version that you can find on this website in your purchase history (there's a link there to redeem an Asset Store purchase invoice, if you didn't yet) because we re-added the security check for all User web services except for create and exists few days ago.
FRANCESCO CROCETTI @ SKARED CREATIONS
