onekiloparsec
commented
3 years ago Thanks JB for your unmatched talent to find places where things are slightly different...
The source of the bug lies in the permissions classes. All organisations API endpoints are protected by permission classes, to let only members of the organisations access the org resources.
But the root endpoint /organisations/<org subdomain>/ is different in the sense that organisations themselves are public resources. The update of organisation details is protected by membership permissions.
Except that it relies on a permission mixin that was installed everywhere but there...
Bug is reported by an admin member of the organisation.