Description

To change the ownership of the applications[1], the original owner and new owner are required to be in the same organization. However, this does not properly honor APIM v4.5.0.

[1] https://apim.docs.wso2.com/en/4.5.0/consume/manage-application/advanced-topics/changing-the-owner-of-an-application/

Steps to Reproduce

1. Sign up to the API Developer Portal as two different users(ex: user_1, user_2) where only one user has a specific organization(ex: test_1--> user_1)
2. Create two Applications from user_1(ex: app_1, app_2)
3. Share the application app_2 with the test_1 organization.
4. Change the application owner of app_1 from user_1 to user_2 via admin portal. (There is no validation for the new owner's organization here)
5. The app_1 application is not visible to user_1 from devportal now.
6. The app_1 application is now visible to user_2 from devportal.
7. Can subscribe to APIs from app_1 from user_2 and can invoke the APIs.
8. Change the application owner of app_2 from user_1 to user_2 via admin portal.
9. Now app_2 is visible for both user_1 and user_2 with the changed owner even though user_2 does not available in the test_1 organization.
10. And can invoke the API with the same token from both users(by client credential grant type)
11. If we change back the ownership of app_2 to user_1, app_2 will be only visible to user_1 who is the only user in the test_1 organization which is expected.

Version

4.5.0

Environment Details (with versions)

No response