-
Suggestion
-
Resolution: Unresolved
-
None
-
5
-
Issue Summary
Users in "Team B" are able to see the alerts that are assigned to "Team A", when the alert was created using the API under the "Team A". This was noticed while attempting to toggle off "see all alerts" within the main alerts page. This results in the user noticing that alerts show even though they are not members of any teams, schedules, or escalation policies on the team which is listed as the responder on the alert.
Steps to Reproduce
- Create a team owned API integration assigned to Team A
- Use another admin user account to generate an alert in the UI that is not apart of Team A. Select the API integration for Team A, and then in the responder's field input Team B
- When the alert is created it lists Team A as the responder since they own the integration, but the members of Team B is able to see the alert as if they were a responder even though they are not listed in the UI
Full replication video can be seen here: https://share.getcloudapp.com/2Numdqo0
Expected Results
When the integration that is owned by Team A processes and creates the alert the relationship with Team B would go away. The alert would then fail to return if an Owner or Admin toggles see all alerts and they are not a member of the responder team.
Actual Results
The UI believes that Team B was a responder and allows it to be viewed via the team API key and within the UI when toggling off see all alerts. Toggling off see all alerts is expected to only show alerts for which you were a responder on.
Workaround
Update the source sending in the payload to the correct responder or don't specify one. Not specifying one at all will result in the integration assigning it still to the correct team and prevent viewing of the alert by someone who is not actually a responder
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|