mirror of
https://github.com/Unleash/unleash.git
synced 2025-01-01 00:08:27 +01:00
c5afa8ff11
## About the changes
This was spotted while testing automated actions. Steps to reproduce:
1. Add an editor user
2. Get a PAT for the editor user
3. As Admin create a feature in a project where the editor user is not a
member and enable the feature
4. Try using the editor's PAT to modify the feature
5. As the editor create a project (you'd be made owner) and try the same
request but just change the project name for the new project just
created (don't change anything else)
**Expected behavior**: you can't disable the feature
**Actual behavior**: the feature is disabled
This does not happen when trying to turn on a flag because during the
turn-on process we do validate if the feature belongs to project when we
call updateStrategy:
|
||
|---|---|---|
| .. | ||
| __snapshots__ | ||
| addons | ||
| db | ||
| domain/project-health | ||
| error | ||
| features | ||
| middleware | ||
| openapi | ||
| proxy | ||
| routes | ||
| schema | ||
| segments | ||
| services | ||
| types | ||
| util | ||
| app.test.ts | ||
| app.ts | ||
| create-config.test.ts | ||
| create-config.ts | ||
| default-custom-auth-deny-all.ts | ||
| internals.ts | ||
| logger.test.ts | ||
| logger.ts | ||
| metric-events.ts | ||
| metrics.test.ts | ||
| metrics.ts | ||
| server-impl.test.ts | ||
| server-impl.ts | ||