You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In /admin/direct_verifications/authorizations we are currently listing all authorizations regardless of the organization their user belongs to. Needless to say, this is concerning because we're leaking details from all organizations.
We should only list authorizations related to the current organization.
to fetch only authorizations whose user belongs to the current_organization. That is, join authorizations with decidim_users where decidim_users.decidim_organization_id = current_organization.id.
The text was updated successfully, but these errors were encountered:
What?
In
/admin/direct_verifications/authorizationswe are currently listing all authorizations regardless of the organization their user belongs to. Needless to say, this is concerning because we're leaking details from all organizations.We should only list authorizations related to the current organization.
Proposed solution
We should change the existing data fetching
decidim-verifications-direct_verifications/app/controllers/decidim/direct_verifications/verification/admin/authorizations_controller.rb
Lines 24 to 26 in a971f8b
to fetch only authorizations whose user belongs to the
current_organization. That is, join authorizations withdecidim_userswheredecidim_users.decidim_organization_id = current_organization.id.The text was updated successfully, but these errors were encountered: