It shouldn't be possible to modify someone else's draft issues
Currently, since it's possible to create issues anonymously, anyone can guess the ID of the next draft issue that will be created and use the API to update it or add/remove pictures.
That shouldn't be possible.
So here's what I think we should do:
- when a draft issue is created (at least by an anonymous user), generate a secret token, store it in the issue, and send it back in the JSON
- store this secret token in the URL with the ID of the issue
- every time we update, add a picture or remove a picture for this issue, send this secret token using a custom header, which would play the role of the Authorization token
- at server side, check that the submitted token is identical to the one stored in the issue, and send a 403 Forbidden response if not
It would be nicer if that was only necessary for anonymous users. For authenticated users, we can just store the user ID in the issue, and check that the current user ID is identical to the stored user ID.