Hi maintainers,
I noticed that challenge creation currently checks only host team membership,
not host status or permissions.
While tracing this flow, I also observed that the host team listing endpoint
returns all teams associated with a user without filtering by status or
permissions. Because of this, it seems possible for a user with a non-ACCEPTED
status or non-ADMIN/WRITE permission to access a host team ID and pass the
membership check.
Is this behavior intentional, or should permission checks (e.g. status=ACCEPTED
and permissions in [ADMIN, WRITE]) be enforced at the API level? I might be
missing some context, but happy to work on this if a backend-side check is
desired.
Hi maintainers,
I noticed that challenge creation currently checks only host team membership,
not host status or permissions.
While tracing this flow, I also observed that the host team listing endpoint
returns all teams associated with a user without filtering by status or
permissions. Because of this, it seems possible for a user with a non-ACCEPTED
status or non-ADMIN/WRITE permission to access a host team ID and pass the
membership check.
Is this behavior intentional, or should permission checks (e.g. status=ACCEPTED
and permissions in [ADMIN, WRITE]) be enforced at the API level? I might be
missing some context, but happy to work on this if a backend-side check is
desired.