Tech Debt: Case search API does not restrict access to data

[subhashini-egov]

Describe the bug

The case search API should restrict access to data only to parties of the case - Judge/Advocate/Litigant/Bench Clerk. 200 OK to be returned for these personas. Everyone else should get a 401 Unauthorized.

To Reproduce Steps to reproduce the behavior:

1. Log in as a Judge
2. Click on any case from the "My Cases" view.
3. Copy the case URL
4. Paste the URL in another browser (Safari) as an advocate.
5. An advocate who has no relation to the case will be able to see the details of the case. This is a breach of privacy/security.

Expected behavior An error screen should be shown in the UI.

[subhashini-egov]

@Ramu-kandimalla @suresh12 why are the showstopper labels being removed without any comments or explanation? What's the plan for fixing these? CC: @atulgupta2024

[Ramu-kandimalla]

Hi @Subhashini @.***>,

I have added new label called NFR this NFR & Security are the priority tasks we are planned post judges Demo for tracking purpose

We are been discussing these action plans on the standup call regularly.

Please go through the updated Sprint planning Sprint Planhttps://github.com/orgs/pucardotorg/projects/1/views/20?filterQuery=label%3ANFR

Regards, Ramu Kandimalla Project Manager Beehttps://www.beehyv.com/Hyvhttps://www.beehyv.com/ Software Solutionshttps://www.beehyv.com/

---

From: subhashini-egov @.> Sent: Wednesday, September 25, 2024 9:17 AM To: pucardotorg/dristi @.> Cc: Ramu Kandimalla @.>; Mention @.> Subject: Re: [pucardotorg/dristi] Tech Debt: Case search API does not restrict access to data (Issue #1401)

@Ramu-kandimallahttps://github.com/Ramu-kandimalla @suresh12https://github.com/suresh12 why are the showstopper labels being removed without any comments or explanation? What's the plan for fixing these? CC: @atulgupta2024https://github.com/atulgupta2024

— Reply to this email directly, view it on GitHubhttps://github.com/pucardotorg/dristi/issues/1401#issuecomment-2372853179, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BHXFLHN42NW2QHE57JWWYFTZYIW6NAVCNFSM6AAAAABM5RD7OSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZSHA2TGMJXHE. You are receiving this because you were mentioned.Message ID: @.***>

Disclaimer: This message and any attachments may contain information that is privileged and confidential. Any use of the information contained in this message or attachment has to be expressly authorized by the sender of such information. If the reader of the message is neither the intended recipient nor an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any attachments from your system.