Read-Only user can delete users

hello this endpoint (DELETE /api/invitations/0ff7e9f9-877a-40cc-b99f-f6b3b1bea3f8 )vulnerable to Insecure Direct Object Reference Steps to reproduce the bug Let's assume that three accounts exist: [email protected] (role Administrator) [email protected] (role Read-Only) [email protected] (invited user ) all three account in same organization (h1) [email protected] cant delete [email protected] but we can do that from [email protected] go to delete [email protected] request like that DELETE /api/invitations/0ff7e9f9-877a-40cc-b99f-f6b3b1bea3f8 take id [email protected] 0ff7e9f9-877a-40cc-b99f-f6b3b1bea3f8 go to [email protected] switch another organization (h2) and go to delete invited user from this organization(h2) DELETE /api/invitations/a996881d-7177-43fb-be7c-da3a6b005f40 change id (a996881d-7177-43fb-be7c-da3a6b005f40) to id you got from [email protected](0ff7e9f9-877a-40cc-b99f-f6b3b1bea3f8) respond HTTP/1.1 204 No Content Date: Mon, 01 Jun 2020 18:47:43 GMT Content-Length: 0 Connection: close Cache-Control: max-age=0, private, must-revalidate Message: User removed from organization Strict-Transport-Security: max-age=31536000 Via: 1.1 vegur CF-Cache-Status: DYNAMIC cf-request-id: 0312cf14d40000edeb299e9200000001 Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare CF-RAY: 59cb1ace2eeaedeb-CDG now account [email protected] deleted from [email protected] i can make poc thanks ## Impact Read-Only user can delete users