I went to test out some functionality with the new image widget.
I uploaded my image into the widget, then went to check on the load URL for the image in the widget. It was of the format
This is not namespaced! I was able to easily guess another user’s image filename and see that image.
Then, I was able to upload a file with the same name to my own dashboard and overwrite that user’s image. I’m sure this affected their dashboard. It was not my intention to do any damage, just to test.
Please fix this!