<< instantly saves the added association. We were adding the project from the route parameter onto the site object temporarily, assuming the site would not be saved.
Instead whenever the route was accessed with any project id, that project id was added to the list of available projects - creating an security bypass.
I also took this opportunity to disallow the creation of new sites that belong to multiple projects. It is a feature we plan to remove anyway.
We still have to allow updating multi-project sites - at least until we can ensure there are no examples of them in the database.
Fixes #679
<<instantly saves the added association. We were adding the project from the route parameter onto the site object temporarily, assuming the site would not be saved.Instead whenever the route was accessed with any project id, that project id was added to the list of available projects - creating an security bypass.
I also took this opportunity to disallow the creation of new sites that belong to multiple projects. It is a feature we plan to remove anyway.
We still have to allow updating multi-project sites - at least until we can ensure there are no examples of them in the database.