fix(issues): Scope get_shared_for_org to the slug-resolved organization#114906
Draft
fix(issues): Scope get_shared_for_org to the slug-resolved organization#114906
Conversation
get_shared_for_org checked the disable_shared_issues flag on the org resolved from the URL slug, but fetched the group purely by share UUID with no org filter. A caller could pass a slug for org B (sharing enabled) with a share UUID that belongs to org A (sharing disabled), and receive org A's protected group title and message. The fix fetches the group first, then rejects the request if the group's owning org does not match the slug-resolved org, and finally checks the flag on the actual owning org — matching the correct pattern already used by get_shared_for_cell. Co-Authored-By: Claude <[email protected]>
github-actions
Bot
added
the
Scope: Backend
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
IssueService.get_shared_for_orgchecked thedisable_shared_issuesflag on the org resolved from the URL slug, but fetched the group purely by share UUID with no org filter. A caller could pass a slug for org B (sharing enabled) alongside a share UUID that belongs to org A (sharing disabled) and receive org A's protected group title and message — bypassing the owning org's explicit privacy control.The sibling method
get_shared_for_cellalready handles this correctly by checking the flag on the group's actual owning org. This PR makesget_shared_for_orgconsistent with that pattern:disable_shared_issuesset (moved from checking the wrong org).Also adds unit tests for
DatabaseBackedIssueService.get_shared_for_orgcovering the happy path, same-org sharing disabled, cross-org slug mismatch (the bypass), and cross-org slug mismatch with sharing disabled on the owner.