A user in a deleted organization has access to all organizations
Opened this issue · 1 comments
marien-probesys commented
How to reproduce?
- Create an organization
- Create a user in this organization
- Log in with this user
- Check the user has only access to its organization (and not to the root organization)
- With this user, delete the organization
- Refresh the page and check that the user now has access to the root organization
What was expected?
The user cannot access the application because he's no longer attached to an existing organization.
What's the issue?
In App\v1\Controllers\Type::getAll(), the organizations accessible to the user are returned with:
$organizations = \App\v1\Common::getOrganizationsIds($token);The issue comes from the method getOrganizationsIds:
$organization = \App\v1\Models\Item::find($token->organization_id);
// $organization is null because it has been deleted
$orgs = \App\v1\Models\Item::where('type_id', 1)->where('treepath', 'like', $organization->treepath . '%');
// $orgs is full because `$organization->treepath` is also null, and `null . '%'` is equal to '%'marien-probesys commented
Also: the user is not deleted in the database, but he's not returned either by the API when I list the users.