From 619ca19f8770e4c3539c624910476aae3283cea8 Mon Sep 17 00:00:00 2001
From: TianyangZhang <zty18395607196@163.com>
Date: Wed, 25 Mar 2026 08:31:31 +0800
Subject: [PATCH] fix: prevent IDOR in application status update endpoint

Replace class-level queryset attribute with get_queryset() method that
scopes Application objects to the requesting admin's organization,
preventing regular admins from modifying applications belonging to
other organizations via pk enumeration.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 offer_backend/apps/applications/views.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/offer_backend/apps/applications/views.py b/offer_backend/apps/applications/views.py
index 2fe189f..ae1a98f 100644
--- a/offer_backend/apps/applications/views.py
+++ b/offer_backend/apps/applications/views.py
@@ -31,7 +31,12 @@ class ApplicationManageViewSet(viewsets.ReadOnlyModelViewSet):
 class ApplicationStatusUpdateView(generics.UpdateAPIView):
     serializer_class = ApplicationStatusSerializer
     permission_classes = [IsAdminOrSuperAdmin]
-    queryset = Application.objects.all()
+
+    def get_queryset(self):
+        user = self.request.user
+        if user.is_superadmin:
+            return Application.objects.all()
+        return Application.objects.filter(job__organization=user.organization)
 
     def perform_update(self, serializer):
         instance = serializer.save()