- [YES/NO] I have added an explanation of what changes in this merge do and why we should include it? YES
- [YES/NO] Does the MR contain pipeline/ helm chart related changes? NO
- [YES/NO] I have updated the documentation accordingly. NA
- [YES/NO/NA] I have added tests to cover my changes. NA
- [YES/NO/NA] All new and existing tests passed. YES
- [YES/NO/NA] My code follows the code style of this project. YES
- [YES/NO/NA] I ran lint checks locally prior to submission. NA
What is the issue or story related to the change?
This MR removes the override of
IEntitlementsService present in provider/azure. The overridden code is buggy in the sense that it doesn't make any actual API calls to Entitlement service but does some in memory processing and returns the response then and there. This exposes us to two potential vulnerabilities:
- Actual authorization is not taking place hence we are at risk of exposing content to unauthorized user
- The overriding code is buggy itself. From exceptions we see failures related to object casting and this failure is hiding the real problem
High level design:
Removed the overriding code in provider/azure.
Does this introduce a breaking change?
- Please provide an ETA when you plan to review this MR. Write a comment to decline or provide an ETA.
- Block the MR if you feel there is less testing or no details in the MR
- Please cover the following aspects in the MR -- Coding design: <Reviewer1> -- Backward Compatibility: <Reviewer2> -- Feature Logic: <Logic design> -- <Any other context mention here> OR -- <Component 1>: <Reviewer1> -- <CosmosDB>: <Reviewer2> -- <ServiceBus> <Reviewer3> -- <Mention any other component and owner>