CS-413 [BUG] SoA shows "unavailable" to auditor account#2925
Conversation
chasprowebdev
changed the title
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Confidence score: 2/5
- There is a concrete security/authorization risk:
ensure-setupinapps/api/src/soa/soa.controller.tscan create SOA records while only requiringaudit:read, which permits mutation under a read-level scope. - Given the high severity (7/10) and high confidence (9/10), this is likely user-impacting and raises regression risk if merged without tightening permissions for the endpoint.
- Pay close attention to
apps/api/src/soa/soa.controller.ts- align endpoint authorization with write/create behavior to avoid privilege escalation.
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
|
@cubic-dev-ai please review it |
@chasprowebdev I have started the AI code review. It will take a few minutes to complete. |
There was a problem hiding this comment.
2 issues found across 8 files
Confidence score: 2/5
- There is a high-risk tenant isolation issue in
apps/api/src/soa/soa.controller.ts: trustingorganizationIdfrom the request body instead of enforcing@OrganizationId()can allow cross-tenant access/update behavior. apps/app/src/app/(app)/[orgId]/documents/statement-of-applicability/components/SOAFrameworkTabs.tsxalso has a user-facing regression risk wheregetSOASetupcan leave tabs stuck in a perpetual loading spinner when setup is missing or fetch fails.- Given the high severity (8/10) and high confidence (9/10) on the API scoping issue, this is not quite safe to merge without fixes.
- Pay close attention to
apps/api/src/soa/soa.controller.ts,apps/app/src/app/(app)/[orgId]/documents/statement-of-applicability/components/SOAFrameworkTabs.tsx- enforce tenant scoping in the controller and ensure loading/error fallback exits spinner state.
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
|
@cubic-dev-ai Ultrareview |
@chasprowebdev Ultrareview monthly budget exhausted (12/12 used). Budget resets at the start of next month. |
|
@cubic-dev-ai Ultrareview |
@chasprowebdev Ultrareview monthly budget exhausted (12/12 used). Budget resets at the start of next month. |
|
@cubic-dev-ai please review it |
@chasprowebdev I have started the AI code review. It will take a few minutes to complete. |
|
@cubic-dev-ai review it |
@tofikwest I have started the AI code review. It will take a few minutes to complete. |
|
approved |
|
🎉 This PR is included in version 3.69.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
3 participants
This is an automated pull request to merge chas/soa-as-auditor into dev.
It was created by the [Auto Pull Request] action.
Summary by cubic
Allow auditors to view the Statement of Applicability without creating data by adding a read‑only
get-setupAPI and using it when the user lacksaudit:create(CS-413). Enforces ISO 27001-only support, passes the trusted org ID to the service, and shows a permission-aware empty state when setup is missing.POST /v1/soa/get-setup(audit:read) returns existing configuration/document (or null) without creating; validates ISO 27001 only and includes latest answers; uses trustedorganizationId.ensure-setupfor creators andget-setupfor auditors across the overview card, framework tabs, and SSR page; shows a role-aware empty state instead of a spinner when not set up.Written for commit 9c6b0a3. Summary will update on new commits.