fix(core): proper authorization when updating group
Description
fix(core): proper authorization when updating group
We can't use user input Group object in RPC when updating group name and description, since user might provide wrong VO ID and it will fail authorization and MFA critical object resolution.
How to test
Call updateGroup
with wrong VO_ID (eg. non existing VO) and it shouldn't fail, since update is based on ID of the existing Group.
Author's checklist
-
I have followed the contribution guidelines -
This MR has been tested or does not change functionality -
I have added relevant merge request dependencies (if this MR has any) -
I have added the correct labels -
I have assigned reviewers (if any are relevant) -
I have edited the documentation (if the changes require it) or I have noted the need for the change if I do not have access to the documentation -
I have marked all introduced BREAKING CHANGES or necessary DEPLOYMENT NOTES in the commit message(s)
Reviewer's checklist
-
This MR has been tested or does not change functionality -
This MR has correct commit message format
Other information
We should check whole API for similar problems (when user provided object is passed to Entry API and hence authorization methods).
Related issues
none