A tester accesses `/api/users/1001` and then changes the ID to `/api/users/1002` to view another user's data without authorization.What vulnerability is this?