mddejong
commented
5 months ago Is it a good idea to approve this while the phpstan issue is open?
Closed rvm-peercode closed 5 months ago
mddejong
commented
5 months ago Is it a good idea to approve this while the phpstan issue is open?
rvm-peercode
commented
5 months ago Is it a good idea to approve this while the phpstan issue is open?
The phpstan issues come from the 2.x branch, not the changes in this one, but there's no hurry. I can rebase as soon as the 2.x branch is clean again.
mddejong
commented
5 months ago Apart from the previously discussed request id.
I thought that in track maintenance we would not check on organization?
rvm-peercode
commented
5 months ago Well, following best practices, I've tried to find locations where a frontend filter was not accompanied by a backend validation, in order to add this validation to the backend. This is important to do from a security by design perspective. It also prevents possible issues when a class is copied in order to use it for different functionality.
My changes should not have any functional impact, since the frontend filters were already in place.
Apply input validation to organization IDs submitted by the user: always check if the user has access to the requested organization ID or IDs, and throw an exception if he does not.