Skip to content

fix subject slug leak in recruitment

Bengfort requested to merge fix-subject-slug-leak into main

By appending ?context=subjects:participation-list to the contact view URL (e.g. http://localhost:8000/recruitment/1/1/), recruiters will get a link to the "participations" tab in subject management even if they do not have the required permissions for that view. This link contains the subject's slug, which is otherwise not accessible for recruiters. That is why I consider this a security issue, although with low impact.

Merge request reports