Skip to content

fix: scope ContactTypeGroup lookup to current organization to prevent cross-org access#6888

Open
PhutiCee wants to merge 4 commits intorubyforgood:mainfrom
PhutiCee:fix/scope-contact-type-groups-to-org
Open

fix: scope ContactTypeGroup lookup to current organization to prevent cross-org access#6888
PhutiCee wants to merge 4 commits intorubyforgood:mainfrom
PhutiCee:fix/scope-contact-type-groups-to-org

Conversation

@PhutiCee
Copy link
Copy Markdown

@PhutiCee PhutiCee commented Apr 25, 2026

Summary

Fixes #6351

Problem

An admin from Organization A could visit a direct URL containing the ID
of a ContactTypeGroup belonging to Organization B and successfully edit
or update it. This is a multi-tenancy data isolation bug.

Root Cause

set_contact_type_group used ContactTypeGroup.find(params[:id])
which searches all records globally, ignoring the current user's org.

Fix

Scoped the lookup to the current organization:

# Before
@contact_type_group = ContactTypeGroup.find(params[:id])

# After
@contact_type_group = current_organization.contact_type_groups.find(params[:id])

Also added rescue_from ActiveRecord::RecordNotFound in
ApplicationController to return a proper 404 response instead of
raising an unhandled exception.

Testing

  • Added cross-org request spec for GET edit (expect 404)
  • Added cross-org request spec for PUT update (expect 404, data unchanged)
  • All 14 examples pass, 0 failures

Notes

As @FireLemons noted, similar patterns may exist in HearingTypes and
Judge controllers and would be worth a follow-up fix.

PhutiCee and others added 2 commits April 25, 2026 02:16
@PhutiCee
fix: scope ContactTypeGroup lookup to current organization to prevent…
35fa137 
… cross-org access
@PhutiCee
fix: scope ContactTypeGroup lookup to current organization to prevent…
529e4bc 
… cross-org access

Admins could access and modify ContactTypeGroups belonging to other
organizations by directly visiting the edit URL with a foreign record ID.

Fix scopes the find query to current_organization so cross-org access
raises ActiveRecord::RecordNotFound (404) instead of returning the record.

Also adds a rescue_from ActiveRecord::RecordNotFound handler in
ApplicationController to return a proper 404 response.

Adds request specs covering the cross-organization access scenario for
both GET edit and PUT update endpoints.
@github-actions github-actions Bot added ruby Pull requests that update Ruby code Tests! 🎉💖👏 labels Apr 25, 2026
PhutiCee added 2 commits April 25, 2026 01:21
@PhutiCee
fix: move RecordNotFound handler to ContactTypeGroupsController
433b1d5 
Moving rescue_from ActiveRecord::RecordNotFound from ApplicationController
to ContactTypeGroupsController to avoid interfering with other controllers
that expect the exception to bubble up.

Also fixes Rails/FilePath linting issue and trailing newline in spec file.
@PhutiCee
fix: use Rails.public_path for 404 render per standardrb
1ff6301
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@compwron compwron Awaiting requested review from compwron compwron is a code owner

@FireLemons FireLemons Awaiting requested review from FireLemons FireLemons is a code owner

@elasticspoon elasticspoon Awaiting requested review from elasticspoon elasticspoon is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

ruby Pull requests that update Ruby code Tests! 🎉💖👏

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: Admins can edit Contact Type Groups across Organizations

1 participant

@PhutiCee