Task 3 – Cross-site request forgery
While the code uses UUIDs to identify most objects, some form actions are still susceptible to cross-site request forgery attacks (for instance the newmessage and the createchannel actions.)
Implement anti-CSRF tokens or otherwise prevent CSRF on the vulnerable forms.