moov-io / customers

Customer registry supporting Know Your Customer (KYC), Customer Identification Program (CIP), and OFAC checks
https://moov.io
Apache License 2.0
69 stars 19 forks source link

customers: GET, PUT, DELETE /customers/:id does not validate organization #248

Closed adamdecaf closed 4 years ago

adamdecaf commented 4 years ago

Customers Version: v0.5.0-dev23

What were you trying to do? When loading GET /customers/{customerID} the X-Organization header is not checked such that Customer belongs to the Organization.

There's no check in the endpoint currently

https://github.com/moov-io/customers/blob/v0.5.0-dev23/pkg/customers/customers.go#L56-L67

What did you expect to see? The X-Organization header is used to filter Customers returned - often by authentication systems.