[PM-3779] idor allow the attacker to delete the victim domain (#3308)

* [PM-3779] Added IOrganizationDomainRepository.GetDomainByIdAndOrganizationIdAsync and SQL stored procedure * [PM-3779] Changed GetOrganizationDomainByIdQuery to also take OrgId as a parameter. Updated existing unit tests and added new. Updated controller to match command changes * [PM-3779] Removed type from url routes * [PM-3779] Renamed IGetOrganizationDomainByIdAndOrganizationIdQuery to IGetOrganizationDomainByIdOrganizationIdQuery * [PM-3779] Renamed GetOrganizationDomainByIdOrganizationIdQueryTests file and added more tests
2025-07-10 04:14:41 -05:00 · 2023-10-18 11:57:59 +01:00
parent cb73056c42
commit 21219262a2
22 changed files with 312 additions and 176 deletions
--- a/src/Core/Repositories/IOrganizationDomainRepository.cs
+++ b/src/Core/Repositories/IOrganizationDomainRepository.cs
@ -9,6 +9,7 @@ public interface IOrganizationDomainRepository : IRepository<OrganizationDomain,
    Task<ICollection<OrganizationDomain>> GetDomainsByOrganizationIdAsync(Guid orgId);
    Task<ICollection<OrganizationDomain>> GetManyByNextRunDateAsync(DateTime date);
    Task<OrganizationDomainSsoDetailsData> GetOrganizationDomainSsoDetailsAsync(string email);
+    Task<OrganizationDomain> GetDomainByIdOrganizationIdAsync(Guid id, Guid organizationId);
    Task<OrganizationDomain> GetDomainByOrgIdAndDomainNameAsync(Guid orgId, string domainName);
    Task<ICollection<OrganizationDomain>> GetExpiredOrganizationDomainsAsync();
    Task<bool> DeleteExpiredAsync(int expirationPeriod);