Exposure of Sensitive Information to an Unauthorized Actor

Summary

wger exposes a REST API endpoint that allows any authenticated user to retrieve the private workout session notes, exercise logs, and training statistics belonging to another user, as long as that user has at least one routine marked as a public template. The vulnerability exists in RoutineViewSet (wger/manager/api/views.py). The view defines two custom actions /logs/ and /stats/ that are intended to return data for the requesting user's own training history within a routine. However, the underlying permission check (RoutinePermission.has_object_permission) grants read access to any authenticated user when the routine has is_template=True, regardless of ownership. When the /logs/ or /stats/ actions are invoked against a routine the attacker does not own, they return the owner's private workout history, not the attacker's.