A vacation request portal hid an admin-only approve endpoint behind a UI button but left it open on the server. Reading the client-side JavaScript revealed the unexposed API action and calling it directly self-approved the request.