Reproduction Steps
Use Avatar API V1 or V2
/v2/avatar/users/{userId}/outfits
/v1/users/{userId}/outfits
To check for a user’s outfit
Expected Behavior
The API shouldn’t be able to bypass private inventories to load a user’s purchased bundles. It shouldn’t return them if the user’s inventory is private. Outfits from my understanding Roblox doesn’t want to restrict so this only goes for bundles you purchase and not for outfits you create.
Actual Behavior
The api returns the player’s entire owned bundles list even if their inventory is private
Issue Area: Other / Other
Issue Type: Other
Impact: Very High
Frequency: Constantly
Date First Experienced: Since outfits and bundles were merged into one category
Date Last Experienced: Current Date