- In the past months we’ve been working to improve our authorization system so it becomes more flexible, allowing us to have granular control over each action a user can perform (ABAC).
- After this change was introduced, permissions within a group didn’t match if the group name wasn’t in lowercase. This has always been a backend transformation totally transparent to the user
What we’ve done
- We first received reports on May 19 and committed the fix on July 1 at 08:16 AM after investigating it for the past 3 weeks.
- We implemented a new tracking tool: LogRocket. With it, we were able to monitor our API’s responses to the affected users, which helped us identify and reproduce the problem
What’s the impact
- Some users have reported that they sometimes weren’t able to view some buttons even if they had access to a group.
What we are doing to help
- We are improving our tests and error reporting to better spot and avoid this kind of problem.