Describe the bug
Currently the /tps/accounts endpoint is exposing information about all org_apps_memberships on an account regardless of the app scoping on the provided token. This could potentially expose sensitive data that the caller is not intended to be able to access.
Expected behavior
Calls to the /tps/accounts should only return data for the scopes and restrictions set on the provided access token. This should include application restrictions.
Describe the bug
Currently the
/tps/accountsendpoint is exposing information about allorg_apps_membershipson an account regardless of the app scoping on the provided token. This could potentially expose sensitive data that the caller is not intended to be able to access.Expected behavior
Calls to the
/tps/accountsshould only return data for the scopes and restrictions set on the provided access token. This should include application restrictions.