You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Location:lib/Controller/ApplicationVersionsController.php:524-530 vs lib/Controller/ApplicationsController.php:726-767
Description:
NC-admin bypass is audited inconsistently across controllers:
ApplicationsController calls recordAdminBypass(...), which writes into OR's per-object audit trail AND PSR log — bypass events appear in the permission-history panel (REQ-OBRBAC-006).
ApplicationVersionsController::requireRole only writes a PSR log entry on bypass. The same NC-admin opening a non-production version under admin bypass leaves no per-application audit-trail record. The permission-history panel loses fidelity for version-level operations.
Suggested fix:
Centralise admin-bypass auditing in a shared service (e.g., AuditService::recordAdminBypass) called by both controllers and the MCP dispatcher.
Ensure every bypass writes to the OR per-object audit trail, not just PSR log.
Severity: MEDIUM
Location:
lib/Controller/ApplicationVersionsController.php:524-530vslib/Controller/ApplicationsController.php:726-767Description:
NC-admin bypass is audited inconsistently across controllers:
ApplicationsControllercallsrecordAdminBypass(...), which writes into OR's per-object audit trail AND PSR log — bypass events appear in the permission-history panel (REQ-OBRBAC-006).ApplicationVersionsController::requireRoleonly writes a PSR log entry on bypass. The same NC-admin opening a non-production version under admin bypass leaves no per-application audit-trail record. The permission-history panel loses fidelity for version-level operations.Suggested fix:
AuditService::recordAdminBypass) called by both controllers and the MCP dispatcher.Source: deep team-reviewer pass 2026-05-27