casa icon indicating copy to clipboard operation
casa copied to clipboard
verified publisher icon rubyforgood

Bug: Admins can edit Contact Type Groups across Organizations

Open FireLemons opened this issue 9 months ago • 10 comments

Impacted User Types

  • admins

Expected Behavior

A warning showing "Sorry, you are not authorized to perform that action." is shown before an admin can edit a contact type group across an organization.

How to Replicate

ex:

    • Log in as an admin.
    • Click on "Edit Organization" in the left sidebar.
    • Scroll down to under the header "Manage Contact Types".
    • Click "Edit" on one of the contact types.
    • Copy the link to the page.
    • Log out.
    • Paste the link and visit it.
    • Edit the name of the Contact Type Group.
    • Log in as the original admin again.
    • Navigate to the Contact Types again under "Edit Organization"
    • See that the edit from the admin from the other org affected the Contact Type Group from this organization.

Login Details:

Login Emails:

password for all users: 12345678

Questions? Join Slack!

We highly recommend that you join us in slack #casa channel to ask questions quickly. And discord for office hours (currently Tuesday 5-7pm Pacific), stakeholder news, and upcoming new issues.

FireLemons avatar Apr 09 '25 02:04 FireLemons

hey @FireLemons can I work on it ?

CodeGovindz avatar Apr 12 '25 11:04 CodeGovindz

@CodeGovindz go for it :)

compwron avatar Apr 14 '25 03:04 compwron

@CodeGovindz I suspect we may have similar bugs for the other sections of the "Edit Organization" page. If you want, you can test out the other sections (Contact Types, Hearing Types, Judge...) and if they're bugged you'll be able to apply the same fix for those sections.

FireLemons avatar Apr 16 '25 14:04 FireLemons

This issue has been inactive for 250 hours (10.42 days) and will be unassigned after 110 more hours (4.58 days). If you have questions, please

If you are still working on this, comment here to tell the bot to give you more time

github-actions[bot] avatar Apr 27 '25 00:04 github-actions[bot]

This issue has been inactive for 370 hours (15.42 days) and is past the limit of 360 hours (15.00 days) so is being unassigned.You’ve just been unassigned from this ticket due to inactivity – but feel free to pick it back up (or a new one!) in the future! Thank you again for your contribution to this project.

github-actions[bot] avatar May 02 '25 00:05 github-actions[bot]

Hi, I just started looking at the project today, to it's entirely possible I'm missing something, but here is what I found after doing some digging.

I was unable to replicate, specifically step 12, which states the change made by user 2 can be seen when user 1 accesses their org.

But I did notice something that could be improved in the CasaOrgController. Notably, when we set @casa_org we are not using, the id provided in the route, we're getting it at the ApplicationController level via the Organizational concern (code)

This means that if you're logged in as [email protected], even if you try to access another org like /casa_org/2/edit you will still be looking at your own CasaOrg. In fact, the id parameter here doesn't matter at all, if you access /casa_org/thiscouldbeliterallyanything/edit you will still see your own org. The update endpoint behaves the same way, so even though you're sending an update request to a different org, you are updating your own org.

There are a couple of ways to approach this. If now or in the future we want a CasaAdmin to have access to multiple CasaOrgs, we should set the org based on the id in the URL. Another option would be to use a singular resource in the routes file, so the path would be /casa_org/edit (no id)

thebrowski avatar May 18 '25 20:05 thebrowski

Hi, I just started looking at the project today, to it's entirely possible I'm missing something, but here is what I found after doing some digging.

I was unable to replicate, specifically step 12, which states the change made by user 2 can be seen when user 1 accesses their org.

But I did notice something that could be improved in the CasaOrgController. Notably, when we set @casa_org we are not using, the id provided in the route, we're getting it at the ApplicationController level via the Organizational concern (code)

This means that if you're logged in as [email protected], even if you try to access another org like /casa_org/2/edit you will still be looking at your own CasaOrg. In fact, the id parameter here doesn't matter at all, if you access /casa_org/thiscouldbeliterallyanything/edit you will still see your own org. The update endpoint behaves the same way, so even though you're sending an update request to a different org, you are updating your own org.

There are a couple of ways to approach this. If now or in the future we want a CasaAdmin to have access to multiple CasaOrgs, we should set the org based on the id in the URL. Another option would be to use a singular resource in the routes file, so the path would be /casa_org/edit (no id)

We never want a CasaAdmin to be able to access any org other than their own org.

compwron avatar May 22 '25 20:05 compwron

re this - I think it would be better to redirect the url to your own org if you try to go to some other org.

compwron avatar May 22 '25 20:05 compwron

Does this still need doing?

compwron avatar Jul 10 '25 21:07 compwron

This issue has been open without changes for a long time! What's up?

github-actions[bot] avatar Sep 11 '25 02:09 github-actions[bot]