bitwarden/server
1
0
Fork 0
mirror of https://github.com/bitwarden/server synced 2026-02-18 10:23:27 +00:00
Code Issues Releases Wiki Activity

[PM-31356] Event logs: Ensure User has access to Service Account Organization #6997

Browse Source 
Fix a vulnerability in the service account events API that allowed any Premium/Enterprise User to retrieve events for any service account. This change ensures that the requesting User has access to the Organization the service account belongs to, by checking for it in the list of Orgs in request context. This matches the pattern from other endpoints in EventsController
This commit is contained in:
Brad
2026-02-17 10:06:03 -08:00
committed by GitHub
parent 0874163911
commit 3753a5e853
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/Api/Dirt/Controllers/EventsController.cs
View File

@@ -212,7 +212,7 @@ public class EventsController : Controller
}
var serviceAccount = await GetServiceAccount(id, orgId);
var org = _currentContext.GetOrganization(orgId);
var org = _currentContext.GetOrganization(serviceAccount.OrganizationId);
if (org == null || !await _currentContext.AccessEventLogs(org.Id))
{