Open mSupply represents our most recent advancement in the Logistics Management Information System (LMIS), expanding on more than two decades of development inherited from the well-established legacy of the original mSupply.
None of the assets or demographic endpoints pass in a store id when checking permission.
Expected behaviour 🤔
This should be passed through so we know if the user has the permission for the store or else they can query/mutate assets/demographics for other stores even though they don't have the permission!
Setting severity high as I think we need to discuss important of this with the team 🙏 Easy to miss in dev/reviews (it's sort of lost in the boilerplate) but quite critical!
What went wrong? 😲
None of the assets or demographic endpoints pass in a store id when checking permission.
Expected behaviour 🤔
This should be passed through so we know if the user has the permission for the store or else they can query/mutate assets/demographics for other stores even though they don't have the permission!
How to Reproduce 🔨
Steps to reproduce the behaviour:
Your environment 🌱