1 admin creates a cluster
2 admin adds user1 as one owner
3 attack login as user1
4 user1 edit the the cluster
5 user1 finds that the name and type can not be changed.
6 user1 still edits the cluster and using the burpsuit to hijack the request
7 the request content can be like
{“name”:“cluster1”,“type”:“AGENT”,“clusterTags”:“biaoqian3”,“inCharges”:“admin,user1”,“description”:“tst”,“id”:3,“version”:1}
8 change the name as cluster2(we can also change type)
9 result shows that the the name was successfully changed as te2