search

msupply-foundation / open-msupply

Open mSupply represents our most recent advancement in the Logistics Management Information System (LMIS), expanding on more than two decades of development inherited from the well-established legacy of the original mSupply.
https://msupply.foundation/open-msupply/
Other
20 stars 12 forks source link

None of the assets or demographic endpoints pass in a store id when checking permission #4987

Open roxy-dao opened 2 hours ago

roxy-dao commented 2 hours ago

What went wrong? 😲

None of the assets or demographic endpoints pass in a store id when checking permission.

Expected behaviour 🤔

This should be passed through so we know if the user has the permission for the store or else they can query/mutate assets/demographics for other stores even though they don't have the permission!

How to Reproduce 🔨

Steps to reproduce the behaviour:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Your environment 🌱

lache-melvin commented 2 hours ago

Setting severity high as I think we need to discuss important of this with the team 🙏 Easy to miss in dev/reviews (it's sort of lost in the boilerplate) but quite critical!