Closed jaakkom closed 4 months ago
Can you please show an example request for which a user without the view permission can call this so we can reproduce? Thanks.
Confirmed, it only shows organizations where user belongs to, just like orgs/me but different payload. My fault!
Is there supposed to be some kind of authorization on /orgs api? Currently anyone can fetch organizations with valid token. I think it should be somehow limited, now it reveals all "organizations" to all endusers.