springboot-openai-chatgpt IDOR and bussiness logic vuln

## intro

Any user can update the number of questions they are allowed to ask.

## PoC

There is no access limitation for users to charge their question times, which is an essential method owned by administrator,

 

For detail, we can access the code. https://github.com/274056675/springboot-openai-chatgpt/blob/e84f6f5394fd9c7bbbfe1118c02f45de52abbdae/chatgpt-boot/src/main/java/org/springblade/modules/mjkj/controller/MngController.java#L58

 

## Result 

Any user can update the number of questions they are allowed to ask.