Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict who can call org-specific APIs #131

Open
nicholaschiang opened this issue Oct 25, 2020 · 1 comment
Open

Restrict who can call org-specific APIs #131

nicholaschiang opened this issue Oct 25, 2020 · 1 comment
Assignees
@nicholaschiang
Labels
p1 Urgent tasks story:org-permissions Orgs can restrict who can access their data type:bug Something isn't working in a story

Comments

@nicholaschiang
Copy link
Member

Is your feature request related to a problem? Please describe.
As mentioned in #115, while I did add a UI blocker to prevent users from seeing an org's search results, smart techy people (like me) can still access that data directly via the unrestricted /api/users endpoint.

Describe the solution you'd like
Call the verifyAuth component in the lib/api/routes/users/list.ts API route definition to ensure that the user is authorized to be requesting the given filters (i.e. if they're a member of the org they're filtering by).
@nicholaschiang nicholaschiang added type:bug Something isn't working in a story category:back-end p1 Urgent tasks labels Oct 25, 2020
@nicholaschiang nicholaschiang added this to the PAUSD milestone Oct 25, 2020
@nicholaschiang nicholaschiang self-assigned this Oct 25, 2020
@nicholaschiang
Copy link
Member Author

This should also apply to the individual API endpoints and the /api/users/[id]/availability endpoint.

Note: I should also add some Cypress API tests to ensure that those requests fail when they're unauthorized.

@nicholaschiang nicholaschiang removed this from the PAUSD milestone May 11, 2021
@nicholaschiang nicholaschiang added p1 Urgent tasks story:org-permissions Orgs can restrict who can access their data and removed category:back-end p1 Urgent tasks labels May 11, 2021
@nicholaschiang nicholaschiang mentioned this issue May 11, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nicholaschiang nicholaschiang

Labels
p1 Urgent tasks story:org-permissions Orgs can restrict who can access their data type:bug Something isn't working in a story
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nicholaschiang