mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-02-27 22:00:59 -05:00
d82f410325
Currently when you load the ‘edit user’ page (which has a URL like `/service/<service_id>/users/<user_id>`) we check that: - you belong to the service represented by `service_id` - you have permission to edit users on this service We don’t check that: - the user represented by `user_id` belongs to this service This means that if you could somehow determine another user’s `user_id` (which I don’t think is possible if you don’t already have the manage service permission for that service) then you could: - edit their permissions on your service (weird, but wouldn’t have any effect) - change their email address (bad) This commit adds checks to return a `404` any time you’re looking at a service and trying to do stuff to a user who doesn’t belong to that service. We can’t add this check to the API easily because there are still times that we want to get/modify users outside the context of a service (eg platform admin pages, or users who have no services).