-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Medium
-
Component/s: Integrations - API
-
None
-
1
-
Severity 3 - Minor
Issue Summary
When creating an alert via a team-based API integration owned by Team Z (for example), if the incoming payload has the Responders field populated with a different team, say, Team W, even though the alert is created for the Owning Team Z, members of Team W is reported to be able to see this Team Z alert.
Steps to Reproduce
- Using Team W and Team Z as example teams, and using the "Create Alert" dialog on the Alerts dashboard, select a team-based API integration belonging to Team Z (for example) in the "API integration" field.
- In the Responders field, select Team W.
- Filling in the Message field and other fields as desired, then Create the alert. This creates an alert with Team Z as Owner.
- Login to Opsgenie as a regular user who is a member of Team W only.
- The same result is obtained when creating the alert using the Alert API
Expected Results
The resulting alert created does not show Team W as responder; and, the regular user who is a member of Team W only should not be able to see the alert assigned to Team Z.
Actual Results
The Team W user is able to view/ack/close/delete this Team Z's alert even though nothing in the alert has Team W as responder.
Workaround
The only workaround is to not populate the Responders field with a different team, like Team W, when creating an alert for the target team, like Team Z in the above described example.