Add backend check to prevent state admin from granting compact permission#1638
Conversation
|
Warning Review limit reached
More reviews will be available in 51 minutes and 6 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
jlkravitz
left a comment
jlkravitz
left a comment
There was a problem hiding this comment.
LGTM! @isabeleliassen This is good to merge. Once merged, I will do a prod deploy since this is a hotfix.
2 participants
When the readSSN permission was added during development, the check for how it is granted at the compact level was not included in the utility function which verifies the caller's permission scopes to ensure a state admin cannot add permissions at the compact level. The UI prevents this, but in theory a state admin could call the API directly outside of the app UI, so this adds that auth check to prevent that.