This repository was archived by the owner on May 29, 2026. It is now read-only.
Commit 1f71fcd
committed
fix(security): ReportsController — drop _rbac/_multitenancy bypass
`loadDashboard()` was calling the mapper with `_rbac: false,
_multitenancy: false`, then `render()` and `preview()` carry
`@NoAdminRequired`. Combined effect: any authenticated user on any
tenant could render any dashboard by enumerating identifiers, and the
rendered output embeds resolved widget data → cross-tenant exfiltration.
Drop the bypass flags so the standard RBAC + multitenancy filter applies
on every load. Existing schema-level RBAC + tenant scoping is now the
single source of truth for "can this caller see this dashboard?".
Refs: #1419 review (blocker 1) — discussion_r31874944001 parent b7df198 commit 1f71fcd
1 file changed
Lines changed: 7 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
174 | 174 | | |
175 | 175 | | |
176 | 176 | | |
177 | | - | |
178 | | - | |
179 | | - | |
180 | | - | |
181 | | - | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
182 | 184 | | |
183 | 185 | | |
184 | 186 | | |
0 commit comments