Users are allowed to deploy services via API if they have multiple teams and one subscription

ptah-sh / ptah-server

Self-hosted alternative to Heroku

https://ptah.sh

Other

145 stars 5 forks source link

Closed bohdan-shulha closed 2 months ago

bohdan-shulha commented 2 months ago

Currently users can avoid the permission check if they have multiple teams and only one of them has a subscription.

http://localhost:8000/api/v0/services/3/deploy

Could be relatable to UI actions as well.

Also, the currentTeam seems to be not switching when a user changes the team ID in the url:

http://localhost:8000/teams/1/billing

bohdan-shulha commented 2 months ago

Seems to be resolved already.