Users with Portfolio View All Domain Requests permissions can view Domain Requests outside their portfolio #3548

Matt-Spence · 2025-02-20T16:11:51Z

Issue description

Currently, any user with permission to view all domain requests for a portfolio can access a view-only view of any domain request by going into the browser and hitting the /domain-request/viewonly/{domain id} endpoint manually. This appears to be because the PortfolioDomainRequestsViewOnly view only checks if that view all permission exists, and not whether it exists for the domain requests portfolio.

Acceptance criteria

Portfolio users can only view domain requests that are in their portfolio

Additional context

No response

Links to other issues

No response

Matt-Spence added the dev issue is for the dev team label Feb 20, 2025

github-project-automation bot added this to .gov Product Board Feb 20, 2025

github-project-automation bot moved this to 👶 New in .gov Product Board Feb 20, 2025

allly-b added the Feature: 🏢 Org Model label Feb 21, 2025

allly-b added this to the Org Model m4 - Domain Requests milestone Feb 21, 2025

katypies added the bug Something that isn't working as intended label Feb 24, 2025

katypies moved this from 👶 New to 🎯 Ready in .gov Product Board Feb 24, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Users with Portfolio View All Domain Requests permissions can view Domain Requests outside their portfolio #3548

Users with Portfolio View All Domain Requests permissions can view Domain Requests outside their portfolio #3548

Matt-Spence commented Feb 20, 2025

Users with Portfolio View All Domain Requests permissions can view Domain Requests outside their portfolio #3548

Users with Portfolio View All Domain Requests permissions can view Domain Requests outside their portfolio #3548

Comments

Matt-Spence commented Feb 20, 2025

Issue description

Acceptance criteria

Additional context

Links to other issues