Scott.Idem/OSIT-AE-App-Svelte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(api): pass real account_id for lookup requests instead of bypass header

Browse Source 
The x-no-account-id bypass was hardcoded to resolve account_id=1 on the
backend, causing account-scoped lookup overrides (e.g. custom country names)
to leak to all callers regardless of their account.

Removing the bypass lets get_object auto-promote the real account_id from
api_cfg, so the backend's existing account filter works correctly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Scott Idem
2026-03-23 20:00:28 -04:00
parent a6f8ff709e
commit 6e22639e6e
1 changed files with 4 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/lib/api/api.ts
View File

@@ -67,11 +67,10 @@ export const get_ae_obj_li_for_lu = async function get_ae_obj_li_for_lu({
console.log(`*** get_ae_obj_li_for_lu() *** for_lu_type=${for_lu_type}`); console.log(`*** get_ae_obj_li_for_lu() *** for_lu_type=${for_lu_type}`);
} }
// Lookup data is global; bypass account-id scope check // Pass headers as-is — get_object will auto-promote the real account_id from api_cfg.
const merged_headers = { // Do NOT use x-no-account-id bypass: the backend hardcodes account_id=1 for that path,
'x-no-account-id': 'Nothing to See Here', // which leaks account-scoped lookup overrides to all callers.
...headers const merged_headers = { ...headers };
};
// Use V3 system for primary lookup types // Use V3 system for primary lookup types
if (['country', 'country_subdivision', 'time_zone'].includes(for_lu_type)) { if (['country', 'country_subdivision', 'time_zone'].includes(for_lu_type)) {