IDOR on removing Share

The researcher found a authorization flaw in a shared crypto wallet where the user that the wallet was shared with can remove access to another user. Only the owner of the wallet should be able to have the permissions to remove access to other user, but any shared user can user an endpoint to delete any other user's access. The vulnerability can be reproduced by sending a POST request to /dashboard/account//sharing/delete with the data containing the parameter bankUserId= and the csrf token.