Skip to content

fix: scope ContactTypeGroup lookup to current organization to prevent cross-org access#6888

Open
PhutiCee wants to merge 4 commits intorubyforgood:mainfrom
PhutiCee:fix/scope-contact-type-groups-to-org
Open

fix: scope ContactTypeGroup lookup to current organization to prevent cross-org access#6888
PhutiCee wants to merge 4 commits intorubyforgood:mainfrom
PhutiCee:fix/scope-contact-type-groups-to-org

Conversation

@PhutiCee
Copy link
Copy Markdown

Summary

Fixes #6351

Problem

An admin from Organization A could visit a direct URL containing the ID
of a ContactTypeGroup belonging to Organization B and successfully edit
or update it. This is a multi-tenancy data isolation bug.

Root Cause

set_contact_type_group used ContactTypeGroup.find(params[:id])
which searches all records globally, ignoring the current user's org.

Fix

Scoped the lookup to the current organization:

# Before
@contact_type_group = ContactTypeGroup.find(params[:id])

# After
@contact_type_group = current_organization.contact_type_groups.find(params[:id])

Also added rescue_from ActiveRecord::RecordNotFound in
ApplicationController to return a proper 404 response instead of
raising an unhandled exception.

Testing

  • Added cross-org request spec for GET edit (expect 404)
  • Added cross-org request spec for PUT update (expect 404, data unchanged)
  • All 14 examples pass, 0 failures

Notes

As @FireLemons noted, similar patterns may exist in HearingTypes and
Judge controllers and would be worth a follow-up fix.

PhutiCee and others added 2 commits April 25, 2026 02:16
… cross-org access

Admins could access and modify ContactTypeGroups belonging to other
organizations by directly visiting the edit URL with a foreign record ID.

Fix scopes the find query to current_organization so cross-org access
raises ActiveRecord::RecordNotFound (404) instead of returning the record.

Also adds a rescue_from ActiveRecord::RecordNotFound handler in
ApplicationController to return a proper 404 response.

Adds request specs covering the cross-organization access scenario for
both GET edit and PUT update endpoints.
@github-actions github-actions Bot added ruby Pull requests that update Ruby code Tests! 🎉💖👏 labels Apr 25, 2026
Moving rescue_from ActiveRecord::RecordNotFound from ApplicationController
to ContactTypeGroupsController to avoid interfering with other controllers
that expect the exception to bubble up.

Also fixes Rails/FilePath linting issue and trailing newline in spec file.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ruby Pull requests that update Ruby code Tests! 🎉💖👏

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bug: Admins can edit Contact Type Groups across Organizations

1 participant