lock down datasets to orgs

apps/api/libs/dataset_security/src/lib.rs

@@ -290,10 +290,15 @@ pub async fn get_permissioned_datasets(
         return Ok(Vec::new()); // No datasets accessible
     }
 
+    // Get all organization IDs for the user  
+    let org_ids: Vec<Uuid> = user_orgs.into_iter().map(|(org_id, _)| org_id).collect();
+
     // Fetch the actual dataset info for the combined IDs with pagination
+    // IMPORTANT: Filter by organization to prevent cross-org data access
     let mut conn = get_pg_pool().get().await.context("DB Error")?; // Get final connection
     datasets::table
         .filter(datasets::id.eq_any(all_accessible_ids))
+        .filter(datasets::organization_id.eq_any(org_ids))
         .filter(datasets::deleted_at.is_null()) 
         .select(PermissionedDataset::as_select())
         .order(datasets::name.asc()) 

packages/access-controls/src/access-controls.ts

@@ -300,7 +300,11 @@ export async function getPermissionedDatasets(
     return []; // No datasets accessible
   }
 
+  // Get all organization IDs for the user
+  const organizationIds = userOrgs.map(org => org.organizationId);
+
   // Fetch the actual dataset info for the combined IDs with pagination
+  // IMPORTANT: Filter by organization to prevent cross-org data access
   const results = await db
     .select({
       id: datasets.id,
@@ -312,7 +316,13 @@ export async function getPermissionedDatasets(
       dataSourceId: datasets.dataSourceId,
     })
     .from(datasets)
-    .where(and(inArray(datasets.id, Array.from(allAccessibleIds)), isNull(datasets.deletedAt)))
+    .where(
+      and(
+        inArray(datasets.id, Array.from(allAccessibleIds)),
+        inArray(datasets.organizationId, organizationIds),
+        isNull(datasets.deletedAt)
+      )
+    )
     .orderBy(datasets.name)
     .limit(input.pageSize)
     .offset(input.page * input.pageSize);