Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regular users are able to create invites with ADMIN role #4681

Closed
matthewelwell opened this issue Oct 2, 2024 · 1 comment
Closed

Regular users are able to create invites with ADMIN role #4681

matthewelwell opened this issue Oct 2, 2024 · 1 comment
Assignees
@matthewelwell
Labels
api Issue related to the REST API p1 priority label used for issues tagged with security security Security updates

Comments

@matthewelwell
Copy link
Contributor

To reproduce:

  1. As a regular user in a paid organisation, use an API client to send a POST request to /api/v1/organisations/:id/invite/ with the role of "ADMIN"`.

Expected behaviour:

The user receives a 403

Actual behaviour:

The invite is created
@matthewelwell matthewelwell added api Issue related to the REST API security Security updates p1 priority label used for issues tagged with security labels Oct 2, 2024
@matthewelwell matthewelwell self-assigned this Oct 2, 2024
@matthewelwell
Copy link
Contributor Author

Resolved in #4653

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matthewelwell matthewelwell

Labels
api Issue related to the REST API p1 priority label used for issues tagged with security security Security updates
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@matthewelwell