

Mocaroni, a free API prototyping tool - briandear
https://www.mocaroni.com

======
joshmn
This is cool, but, you're missing one huge thing that is a glaring, glaring
issue.

Are you not checking that the logged in user can access their own API
projects? I signed up and was able to access whatever project I wanted. I
created project 178, was able to change that to 171, to 2, to whatever I
wanted, and saw their endpoints and what they were doing.

[https://www.mocaroni.com/projects/2/paths/new](https://www.mocaroni.com/projects/2/paths/new)

That's scoping 101. I see this is a Rails app. current_user.projects.find(2)

Like, hello?

That makes me wonder what else is available.

