[PM-3779] idor allow the attacker to delete the victim domain (#3308)

* [PM-3779] Added IOrganizationDomainRepository.GetDomainByIdAndOrganizationIdAsync and SQL stored procedure * [PM-3779] Changed GetOrganizationDomainByIdQuery to also take OrgId as a parameter. Updated existing unit tests and added new. Updated controller to match command changes * [PM-3779] Removed type from url routes * [PM-3779] Renamed IGetOrganizationDomainByIdAndOrganizationIdQuery to IGetOrganizationDomainByIdOrganizationIdQuery * [PM-3779] Renamed GetOrganizationDomainByIdOrganizationIdQueryTests file and added more tests
2025-07-04 01:22:50 -05:00 · 2023-10-18 11:57:59 +01:00
parent cb73056c42
commit 21219262a2
22 changed files with 312 additions and 176 deletions
--- a/src/Infrastructure.Dapper/Repositories/OrganizationDomainRepository.cs
+++ b/src/Infrastructure.Dapper/Repositories/OrganizationDomainRepository.cs
@ -69,6 +69,20 @@ public class OrganizationDomainRepository : Repository<OrganizationDomain, Guid>
        }
    }

+    public async Task<OrganizationDomain> GetDomainByIdOrganizationIdAsync(Guid id, Guid orgId)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection
+                .QueryAsync<OrganizationDomain>(
+                    $"[{Schema}].[OrganizationDomain_ReadByIdOrganizationId]",
+                    new { Id = id, OrganizationId = orgId },
+                    commandType: CommandType.StoredProcedure);
+
+            return results.SingleOrDefault();
+        }
+    }
+
    public async Task<OrganizationDomain> GetDomainByOrgIdAndDomainNameAsync(Guid orgId, string domainName)
    {
        using (var connection = new SqlConnection(ConnectionString))