Summary
The automatic parent-organisation linkage for newly created organisations has been deliberately disabled via a HOTFIX because it interacted badly with hierarchical RBAC filtering. Child organisations are no longer linked to their parent, which removes the parent-child scoping that the RBAC layer relies on. Surfaced during the 2026-05-24/25 retrofit reverse-spec work.
Location
lib/Service/OrganisatieService.php, createOrganisationEntityInternal(), lines 251-289 (HOTFIX docblock + commented-out parent assignment + createOrganisation() call without parent).
Observed behavior
/**
* ...
* HOTFIX: Parent organisation setting has been disabled due to RBAC issues.
* Previously, new organisations were automatically set as children of the active organisation,
* but this caused permission problems where users could not access newly created organisations.
* TODO: Re-enable parent organisation setting after fixing RBAC logic.
*/
private function createOrganisationEntityInternal(...): \OCA\OpenRegister\Db\Organisation {
// HOTFIX: Commented out automatic parent organisation setting due to RBAC issues.
// When child organisations are created, the parent relationship causes permission problems.
// ...
// Disabled: $parentOrganisationUuid = $this->getActiveOrganisationUuid(organisationService: $organisationService).
...
$organisationEntity = $organisationService->createOrganisation(
name: (string) $mappedData['naam'],
description: (string) ($mappedData['type'] ?? ''),
addCurrentUser: false,
uuid: $organizationUuid
// NOTE: no parent passed
);
Impact
OWASP A01 (Broken Access Control). The parent-organisation relationship is what scopes a child organisation under its parent's hierarchical RBAC. By creating every organisation with no parent, the intended hierarchical containment is bypassed:
- New organisations are created flat / unscoped rather than under the active (parent) organisation, so the access boundary the hierarchy was meant to enforce is not applied.
- This is a hotfix-shaped "disable the check to make the error go away" pattern; the underlying RBAC bug was never fixed, only routed around.
The exact exposure depends on how the RBAC layer treats parent-less organisations (whether flat == globally visible or flat == isolated) — that should be confirmed against OpenRegister's RBAC filtering before deciding severity, but either way the documented authorization model is not being enforced as designed.
Suggested fix
Restore the parent-organisation assignment. The HOTFIX was applied because the parent-child link caused "users could not access newly created organisations" — that is an RBAC-filtering bug in the access-grant path, not a reason to drop the relationship. Fix the underlying RBAC logic (e.g. ensure the creating user is granted access to the new child org) and re-enable parent linkage, rather than leaving the scoping disabled.
Source PR
#292
Summary
The automatic parent-organisation linkage for newly created organisations has been deliberately disabled via a HOTFIX because it interacted badly with hierarchical RBAC filtering. Child organisations are no longer linked to their parent, which removes the parent-child scoping that the RBAC layer relies on. Surfaced during the 2026-05-24/25 retrofit reverse-spec work.
Location
lib/Service/OrganisatieService.php,createOrganisationEntityInternal(), lines 251-289 (HOTFIX docblock + commented-out parent assignment +createOrganisation()call withoutparent).Observed behavior
Impact
OWASP A01 (Broken Access Control). The parent-organisation relationship is what scopes a child organisation under its parent's hierarchical RBAC. By creating every organisation with no parent, the intended hierarchical containment is bypassed:
The exact exposure depends on how the RBAC layer treats parent-less organisations (whether flat == globally visible or flat == isolated) — that should be confirmed against OpenRegister's RBAC filtering before deciding severity, but either way the documented authorization model is not being enforced as designed.
Suggested fix
Restore the parent-organisation assignment. The HOTFIX was applied because the parent-child link caused "users could not access newly created organisations" — that is an RBAC-filtering bug in the access-grant path, not a reason to drop the relationship. Fix the underlying RBAC logic (e.g. ensure the creating user is granted access to the new child org) and re-enable parent linkage, rather than leaving the scoping disabled.
Source PR
#292