customers: GET, PUT, DELETE /customers/:id does not validate organization
adamdecaf opened this issue · 0 comments
adamdecaf commented
Customers Version: v0.5.0-dev23
What were you trying to do?
When loading GET /customers/{customerID}
the X-Organization
header is not checked such that Customer belongs to the Organization.
There's no check in the endpoint currently
https://github.com/moov-io/customers/blob/v0.5.0-dev23/pkg/customers/customers.go#L56-L67
What did you expect to see?
The X-Organization
header is used to filter Customers returned - often by authentication systems.