cgladue
commented
7 years ago Where clause has been added to the DAL for this call. Users call already has this where clause so its not an issue.
Closed ChrisASearles closed 7 years ago
cgladue
commented
7 years ago Where clause has been added to the DAL for this call. Users call already has this where clause so its not an issue.
ChrisASearles
commented
7 years ago Why is this assigned to me, do I need to do something here?
cgladue
commented
7 years ago @ChrisASearles you found the issue, the issue was fixed so please confirm and you can close it
Right now a user that is in the PartnerAdmin role has access to view data for all tenant applications. To reproduce, login with an account that only has PartnerAdmin permissions for a specific subdomain, go to /partnerdashboard/redemptions and you can still view and act on all redemption requests for all partners/tenant applications.
We should do an audit of all places where partner data may be shared and ensure that we're not showing partner data between accounts as well (right now I believe /partnerdashboard/users is the only other place where this is a possibility).