Prevent administrators from viewing Activity Delegates for self assessments in a category that doesn't match their own #2926
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…elf assessments in a category that doesn't match their own through URL manipulation.
…pposed to be made for Delegate Activities and not Activity Delegates, adding specific logic to the Self Assessment service layer and showing Unauthorised activity based on return type.
ABSinhaa
requested review from
Auldrin-Possa,
kevwhitt-hee,
rshrirohit and
sherif-olaboye
|
The pr look ok |
rshrirohit
deleted the
Develop/fixes/TD-4880-Prevent_Admin_View_ActivityDelegates
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
JIRA link
TD-4880
Description
Added a check for the categoryId of the admin users while fetching the self assessments, making sure we only pull the self assessments that matches the categoryId on the admin account of the user, also added an Unauthorized check when anyone tries to manipulate the self assessment delegates using the query string URL being opened.
If there's a categoryId on the admin account of the user, then show self assessments that are specific to the categoryId, if there's no categoryId on the admin account of the user, continue showing all the self assessments.
Screenshots
When categoryId is set to null on the admin account, the user can see all the self assessments and can access delegates from all the self assessments.
When categoryid has a value on the admin account, the user can only see the self assessments with that specific categoryID.
In the below example categoryId is set to 34 and it has only 5 assessments that have the same categoryId on them.
If the user tries to manipulate the URL and passess a different selfAssessmentId in the querystring parameter and that self assessment has a different categoryId on it which doesn't match with the one on the user's admin account then show an Unauthorised page.
Developer checks
(Leave tasks unticked if they haven't been appropriate for your ticket.)
I have: