diff --git a/apps/api/libs/dataset_security/src/lib.rs b/apps/api/libs/dataset_security/src/lib.rs index 10ef6917b..48654f19e 100644 --- a/apps/api/libs/dataset_security/src/lib.rs +++ b/apps/api/libs/dataset_security/src/lib.rs @@ -290,10 +290,15 @@ pub async fn get_permissioned_datasets( return Ok(Vec::new()); // No datasets accessible } + // Get all organization IDs for the user + let org_ids: Vec = user_orgs.into_iter().map(|(org_id, _)| org_id).collect(); + // Fetch the actual dataset info for the combined IDs with pagination + // IMPORTANT: Filter by organization to prevent cross-org data access let mut conn = get_pg_pool().get().await.context("DB Error")?; // Get final connection datasets::table .filter(datasets::id.eq_any(all_accessible_ids)) + .filter(datasets::organization_id.eq_any(org_ids)) .filter(datasets::deleted_at.is_null()) .select(PermissionedDataset::as_select()) .order(datasets::name.asc()) diff --git a/packages/access-controls/src/access-controls.ts b/packages/access-controls/src/access-controls.ts index 1fbd10c8c..2ed50e208 100644 --- a/packages/access-controls/src/access-controls.ts +++ b/packages/access-controls/src/access-controls.ts @@ -300,7 +300,11 @@ export async function getPermissionedDatasets( return []; // No datasets accessible } + // Get all organization IDs for the user + const organizationIds = userOrgs.map(org => org.organizationId); + // Fetch the actual dataset info for the combined IDs with pagination + // IMPORTANT: Filter by organization to prevent cross-org data access const results = await db .select({ id: datasets.id, @@ -312,7 +316,13 @@ export async function getPermissionedDatasets( dataSourceId: datasets.dataSourceId, }) .from(datasets) - .where(and(inArray(datasets.id, Array.from(allAccessibleIds)), isNull(datasets.deletedAt))) + .where( + and( + inArray(datasets.id, Array.from(allAccessibleIds)), + inArray(datasets.organizationId, organizationIds), + isNull(datasets.deletedAt) + ) + ) .orderBy(datasets.name) .limit(input.pageSize) .offset(input.page * input.pageSize);