Unauthorized Access to pending Assets through enumeration

[moritztim]

~~https://godotengine.org/asset-library/asset/edit/9752~~ <- this has since been approved You should not be able to see details of a pending asset. Yet you can, ~~by following the link above. I could have found that link~~ through enumeration, since the db uses incrementing numeric ids.

As you can see, I am not logged in, yet able to view this pending asset

[moritztim]

This is a security risk in 2 scenarios:

1. A malicious asset could be presented as legitimate since it's accessible on the official asset lib. There's nothing on the page to suggest that this is not approved.
2. (less likely) A malicious actor finds a pending asset with sensitive info accidentally left in there