fix: solve risk assessment issue

Bulletdev · Bulletdev · commit 013996f804dd · 2026-03-04T12:25:07.000-03:00
diff --git a/app/models/concerns/organization_scoped.rb b/app/models/concerns/organization_scoped.rb
@@ -13,8 +13,9 @@ module OrganizationScoped
       if org_id.present?
         where(organization_id: org_id)
       else
-        Rails.logger.warn("[SCOPE] OrganizationScoped: Current.organization_id is nil for #{name}")
-        all
+        # SECURITY: Fail-safe - retorna scope vazio em vez de expor dados de todas as orgs
+        Rails.logger.error("[SECURITY] OrganizationScoped: organization_id is nil for #{name} - BLOCKING ACCESS")
+        where('1=0')
       end
     }
   end
diff --git a/app/modules/dashboard/controllers/dashboard_controller.rb b/app/modules/dashboard/controllers/dashboard_controller.rb
@@ -163,9 +163,9 @@ def roster_status_data
       def fetch_recent_activities
         # Fetch recent audit logs and format them.
         # includes(:user) preloads the user in one query — avoids N+1 on log.user&.email
-        activities = AuditLog
+        # SECURITY: Use organization_scoped helper for consistent scoping
+        activities = organization_scoped(AuditLog)
                      .includes(:user)
-                     .where(organization: current_organization)
                      .order(created_at: :desc)
                      .limit(20)
 
