Background
PR #2064 fixed the delegation-aware isLLMOAdministrator() check for 11 handlers by ensuring hasAccess() is called before isLLMOAdministrator(). Two write operations were explicitly left out of scope because they have no prior hasAccess() call:
- saveStrategy — writes to S3 for arbitrary sites; calls isLLMOAdministrator() with no preceding hasAccess(), so _lastAccessWasDelegated is always false and delegated users retain full admin rights.
- onboardCustomer — creates new sites and accepts user-supplied imsOrgId without org-level authorization; same issue.
Risk
A delegated agency user (Org B with delegation to Org A) who has is_llmo_administrator: true in their JWT can invoke these endpoints against Org A's sites without restriction.
Required Fix
Add hasAccess() calls (with appropriate productCode) before the isLLMOAdministrator() checks in both handlers, following the same pattern established in PR #2064.
References
Background
PR #2064 fixed the delegation-aware isLLMOAdministrator() check for 11 handlers by ensuring hasAccess() is called before isLLMOAdministrator(). Two write operations were explicitly left out of scope because they have no prior hasAccess() call:
Risk
A delegated agency user (Org B with delegation to Org A) who has is_llmo_administrator: true in their JWT can invoke these endpoints against Org A's sites without restriction.
Required Fix
Add hasAccess() calls (with appropriate productCode) before the isLLMOAdministrator() checks in both handlers, following the same pattern established in PR #2064.
References