Closed adamdecaf closed 4 years ago
Customers Version: v0.5.0-dev23
v0.5.0-dev23
What were you trying to do? When loading GET /customers/{customerID}/accounts the X-Organization header is not checked such that Customer (for the Account(s)) belongs to the Organization.
GET /customers/{customerID}/accounts
X-Organization
The same applies on other Account related endpoints.
There's no check in the endpoint currently
https://github.com/moov-io/customers/blob/v0.5.0-dev23/pkg/accounts/router.go#L46-L62 https://github.com/moov-io/customers/blob/v0.5.0-dev23/pkg/accounts/router.go#L168-L199
What did you expect to see? The X-Organization header is used to filter Accounts returned - often by authentication systems.
Customers Version:
v0.5.0-dev23
What were you trying to do? When loading
GET /customers/{customerID}/accounts
theX-Organization
header is not checked such that Customer (for the Account(s)) belongs to the Organization.The same applies on other Account related endpoints.
There's no check in the endpoint currently
https://github.com/moov-io/customers/blob/v0.5.0-dev23/pkg/accounts/router.go#L46-L62 https://github.com/moov-io/customers/blob/v0.5.0-dev23/pkg/accounts/router.go#L168-L199
What did you expect to see? The
X-Organization
header is used to filter Accounts returned - often by authentication systems.