Skip to content

Commit e76dd94

Browse files
PranavShukla7drosettimlodic
authored
Fix plugin state viewer org filter (#3640)
* updated PR automation Slow run to avoid executing all the optional containers * fix(views): scope plugin_state_viewer to user organization This prevents a cross-organization information disclosure where users could see disabled plugin states from all organizations. --------- Co-authored-by: Daniele Rosetti <55402684+drosetti@users.noreply.github.com> Co-authored-by: Matteo Lodi <30625432+mlodic@users.noreply.github.com>
1 parent 4522734 commit e76dd94

1 file changed

Lines changed: 4 additions & 1 deletion

File tree

api_app/views.py

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -948,7 +948,10 @@ def plugin_state_viewer(request):
948948
raise PermissionDenied()
949949

950950
result = {"data": {}}
951-
for opc in OrganizationPluginConfiguration.objects.filter(disabled=True):
951+
for opc in OrganizationPluginConfiguration.objects.filter(
952+
disabled=True,
953+
organization=request.user.membership.organization,
954+
):
952955
result["data"][opc.config.name] = {
953956
"disabled": True,
954957
}

0 commit comments

Comments
 (0)