Fix!
It was noted on IRC by "Krenair" that the block/unblock modules in the API would allow a user to block/unblock another user without passing a token (never mind whether the token was actually valid)
Some poking around and I noticed it was due to the 'gettoken' parameter that both have, whereas the other modules do not have this.
$foo['bar'] = false;
...
!isset( $foo['bar'] ) evaluates to false, and it meant the code to die for a missing token parameter was never met due to the wrong evaluation
if ( $salt !== false && !$moduleParams['gettoken'] ) {
Version: unspecified
Severity: normal
Attached: