Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/store/companies endpoint exposes company data to logged in users #111

Open
lexvz14 opened this issue Nov 26, 2024 · 1 comment
Open

/store/companies endpoint exposes company data to logged in users #111

lexvz14 opened this issue Nov 26, 2024 · 1 comment

Comments

@lexvz14
Copy link

lexvz14 commented Nov 26, 2024

Hi there,

More of a heads-up than a bug, but the /store/companies endpoint exposes quite a bit of data to all users that have access to the platform as a customer. We plan on using Medusa for both B2B as well as B2C. The current structure allows B2C users to access B2B company data too. Besides that, employees from company A could fetch data for company B.

I added a filter to the GET /store/companies endpoint so that it only returns a company where the requestor is an employee, otherwise 404 is returned.

Depends on the use case I suppose, but worth knowing I suppose.

Thanks and best,
Lex
@sgirones sgirones assigned sgirones and unassigned sgirones Nov 26, 2024
@riqwan
Copy link
Contributor

riqwan commented Nov 26, 2024

Thanks for surfacing this @lexvz14, we've created a ticket internally to track this :)

@riqwan riqwan closed this as completed Nov 26, 2024
@riqwan riqwan reopened this Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sgirones @riqwan @lexvz14