Clarifies requirements for /profile.put

Dorthu · Dorthu · commit 7ea2afa74ff1 · 2018-06-20T11:30:38.000-04:00
@ctarquini forwarded a report from HackerOne claiming that arbitrary
third party application could update profile - and this is true, but
expected.  There is ongoing discussion about making a more specific
OAuth Scope for profile, but the existing language in the docs made the
reporter think that third party apps should _never_ be able to access
the /profile.put operation, where indeed they can with the right scope.
diff --git a/openapi.yaml b/openapi.yaml
@@ -7880,8 +7880,8 @@ paths:
       - Profile
       summary: Update Profile
       description: >
-        Update information in your Profile.  This option is _not_ available to
-        all third-party clients.
+        Update information in your Profile.  This endpoint requires the
+        "account:read_write".
       operationId: updateProfile
       x-linode-cli-action: update
       security:
