Unauthorized access to other organizations by admins

[krishna619]

I discovered a vulnerability in your application that allows admins to access details of other organizations. By simply changing the organization ID in the URL from original-ID to modified-ID, I was able to view upcoming posts, admins, and other sensitive information of another organization.

Steps to reproduce the behavior:

Log in as an admin user.

1. Log in as an admin user.
2. Navigate to the organization dashboard page with URL: {BASE_URL}/orgdash/id=original-ID
3. Replace original-ID with another valid organization ID (e.g., modified-ID).
4. The page will now display details of the organization with ID modified-ID, even though you don't have authorized access.

original-ID: 6337904485008f171cf29924
modified-ID: 6537904485008f171cf29924 (replaced the second digit from left)

Admins should only be able to access details of organizations that they have been explicitly granted access to. The application should validate the organization ID against the logged-in admin's permissions before fetching or displaying data.

P.S- I do not know if it is a feature implemented intentionally or indeed it is a bug. I would like to work on It if it seems to be the latter 👍

Thanks :)

[github-actions]

Congratulations on making your first Issue! 🎊 If you haven't already, check out our Contributing Guidelines and Issue Reporting Guidelines to ensure that you are following our guidelines for contributing and making issues.

[palisadoes]

Closing duplicate

• Admin: Fix the usage of userType #1445