From 34b59973f974706d22547f5dc66f3781ede81125 Mon Sep 17 00:00:00 2001
From: atharv2-git <atharvsbhandare@gmail.com>
Date: Fri, 20 Jun 2025 12:10:43 +1000
Subject: [PATCH] filtering out the staff details to non-staff roles hence
 fixing insecure direct object reference vulnerability

---
 app/api/entities/unit_entity.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/api/entities/unit_entity.rb b/app/api/entities/unit_entity.rb
index 4ac79cb15..b9aa0edfc 100644
--- a/app/api/entities/unit_entity.rb
+++ b/app/api/entities/unit_entity.rb
@@ -52,7 +52,7 @@ def can_read_unit_config?(my_role)
     expose :tutorial_streams, using: TutorialStreamEntity, unless: :summary_only
 
     # Expose staff before tutorials, so that their details are available
-    expose :staff, using: UnitRoleEntity, unless: :summary_only
+    expose :staff, using: UnitRoleEntity, unless: :summary_only, if: lambda { |unit, options| is_staff?(options[:my_role]) } # filtering out the staff_data object for non_staff_roles
     expose :tutorials, using: TutorialEntity, unless: :summary_only
     # expose :tutorial_enrolments, using: TutorialEnrolmentEntity, unless: :summary_only, if: lambda { |unit, options| is_staff?(options[:my_role]) }