View User API Call Issue

Hey there,

During preliminary security stress testing, a fellow colleague and I found that we could update user properties via the View User API Call (User | Chat Platform API | Sendbird Docs).

For example, a PUT request (https://{application-id}{user-id}/ with the body parameters

    "is_active": false

Could deactivate the user. Is this intended?

We also noticed that once a user has been deactivated and then reactivated, the user would lose all their chats. We were unsure if this was also intended?


Managed to find out about the API call also being used to update various properties, as listed here: User | Chat Platform API | Sendbird Docs

My colleague and I, however, are still curious about the consequence of deactivating/reactivating a user, where all the existing chats are deleted. Is this an intended effect?

Just realised the leave_all_when_deactivated user property. This has solved our question/issue!

1 Like