Closed ChrisASearles closed 7 years ago
Where clause has been added to the DAL for this call. Users call already has this where clause so its not an issue.
Why is this assigned to me, do I need to do something here?
@ChrisASearles you found the issue, the issue was fixed so please confirm and you can close it
Right now a user that is in the PartnerAdmin role has access to view data for all tenant applications. To reproduce, login with an account that only has PartnerAdmin permissions for a specific subdomain, go to /partnerdashboard/redemptions and you can still view and act on all redemption requests for all partners/tenant applications.
We should do an audit of all places where partner data may be shared and ensure that we're not showing partner data between accounts as well (right now I believe /partnerdashboard/users is the only other place where this is a possibility).