Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(membership): Ensure membership is in current organization when revoking #2658

Merged
merged 1 commit into from
Oct 4, 2024

Conversation

vincent-pochet
Copy link
Collaborator

Context

Today it is possible the revoke a membership from any organization as long as you know the ID.
The Mutations::Memberships::Revoke is delegating the logic to Memberships::RevokeService, but this service is not checking that the membership is part of any organization (Membership.find_by)

Description

This PR refactors the service to use the common call pattern.
It also update the mutation to require an Organization and lookup for the membership with a scope to the current organization.

@vincent-pochet vincent-pochet force-pushed the fix_membership_revoke_security branch from 56c0be5 to 5fa2482 Compare October 4, 2024 08:07
@vincent-pochet vincent-pochet force-pushed the fix_membership_revoke_security branch from 5fa2482 to c0b4a99 Compare October 4, 2024 09:04
@vincent-pochet vincent-pochet merged commit 4c01c0b into main Oct 4, 2024
6 checks passed
@vincent-pochet vincent-pochet deleted the fix_membership_revoke_security branch October 4, 2024 11:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants