Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.1.0
-
None
-
None
Description
The following api route does not take into consideration the tenancy of the specified user:
get( "/api/$version/users/:id/deliveryservices
it currently does the following:
1. it checks the tenancy of the specified user vs. the tenancy of the current user to ensure the current user can see the specified user <-- this is good
2. it queries the deliveryservice_tmuser table to find the delivery services associated to the tm_user and then if finally filters the results based on the current user's tenancy <-- it should not query this table if use_tenancy = 1
if use_tenancy = 0, it should work the way it does now
if use_tenancy = 1, it should not query the deliveryservice_tmuser table but instead query the deliveryservice table and filter the results against the specified user's tenant AND the current user's tenant.