View User API Call Issue

Brandon_Ho · December 14, 2021, 12:44pm

Hey there,

During preliminary security stress testing, a fellow colleague and I found that we could update user properties via the View User API Call (User | Chat Platform API | Sendbird Docs).

For example, a PUT request (https://{application-id}.sendbird.com/v3/users/{user-id}/ with the body parameters

{
    "is_active": false
}

Could deactivate the user. Is this intended?

We also noticed that once a user has been deactivated and then reactivated, the user would lose all their chats. We were unsure if this was also intended?

Regards,
Brandon

Brandon_Ho · December 15, 2021, 10:57am

Managed to find out about the API call also being used to update various properties, as listed here: User | Chat Platform API | Sendbird Docs

My colleague and I, however, are still curious about the consequence of deactivating/reactivating a user, where all the existing chats are deleted. Is this an intended effect?

Brandon_Ho · December 15, 2021, 11:03am

Just realised the leave_all_when_deactivated user property. This has solved our question/issue!

Topic		Replies	Views
Consequences of deactivating user API	6	1860	March 3, 2022
isActive attribute of message sender is not updated when the sender was deactivated Sendbird Chat API/SDK sendbird-call	3	1492	December 9, 2020
onUserDeactivated for User Event Feature Requests	4	1250	July 20, 2022
User API question API	1	999	March 7, 2022
User API question. API	4	1254	March 7, 2022

View User API Call Issue

Related Topics

Not finding what you need