- During Find & Replace implementation, the code was changed to load the gene-specific authorization using $_REQUEST rather than $_GET. However, the filtering of the results was still using $_GET. Hence, authorizations can be loaded forging a $_POST request while not necessarily filtering the results using $_GET.
- This allowed Curators to craft special requests to load VLs with non-public data of other genes.
- Solved this by enforcing filtering when authorizing Curators.