mirror of
https://github.com/GSA/notifications-api.git
synced 2025-12-24 09:21:39 -05:00
36f41c23e1
Currently there aren't any permission checks based on folder IDs in the admin app or the API, so it's possible for a user to modify the folder ID to perform operations on folders outside their service. Our usual way to avoid this is to always use service_id filter when fetching objects from the database.