Skip to content

[PM-31356] Event logs: Ensure User has access to Service Account Organization #6997

Open
lastbestdev wants to merge 3 commits intomainfrom
dirt/pm-31356
Open

[PM-31356] Event logs: Ensure User has access to Service Account Organization #6997
lastbestdev wants to merge 3 commits intomainfrom
dirt/pm-31356

Conversation

@lastbestdev
Copy link

@lastbestdev lastbestdev commented Feb 12, 2026

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-31356

📔 Objective

Fix a vulnerability in the service account events API that allowed any Premium/Enterprise User to retrieve events for any service account. This change ensures that the requesting User has access to the Organization the service account belongs to, by checking for it in the list of Orgs in request context. This matches the pattern from other endpoints in EventsController

📸 Screenshots

Before (service account belongs to another Org request User is not a member of)

image

After

image

@lastbestdev lastbestdev requested a review from a team as a code owner February 12, 2026 19:06
@github-actions
Copy link
Contributor

github-actions bot commented Feb 12, 2026
edited
Loading

Logo
Checkmarx One – Scan Summary & Detailsb88ed93d-8772-4a54-b087-e6577607f0a6

Great job! No new security vulnerabilities introduced in this pull request

@codecov
Copy link

codecov bot commented Feb 12, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 56.31%. Comparing base (bf9cc01) to head (3a97b12).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
src/Api/Dirt/Controllers/EventsController.cs 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #6997   +/-   ##
=======================================
  Coverage   56.31%   56.31%           
=======================================
  Files        1987     1987           
  Lines       87730    87730           
  Branches     7821     7821           
=======================================
  Hits        49403    49403           
  Misses      36496    36496           
  Partials     1831     1831

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 13, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prograhamming prograhamming prograhamming approved these changes

Assignees

No one assigned

Labels

needs-qa

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lastbestdev @prograhamming