We've certainly fixed the IDOR vulnerability from /idor.php. Now you can't tamper with the request due to the hash. Good luck getting access to other users' information now!
Solution workflow here.
Click the button below to retrieve information for the default user.