If you inspect element and go to either console or network, the userId of every user in a room is exposed (through both REST requests and through socket messages). Basically, that means anyone can send in host-only requests as well as delete random users (if we re-add in the delete users endpoint)
If you inspect element and go to either console or network, the userId of every user in a room is exposed (through both REST requests and through socket messages). Basically, that means anyone can send in host-only requests as well as delete random users (if we re-add in the delete users endpoint)