Fix dashboard-only permission leaking global extract access by AtlasLabs797 · Pull Request #2 · AtlasLabs797/AtlasBalance

AtlasLabs797 · 2026-04-23T20:38:55Z

A global permission row with PuedeVerDashboard=true was being treated as full data access in ExtractosController, allowing non-admin users with dashboard-only permissions to read extractos across all cuentas and creating a cross-account data exposure that conflicts with UserAccessService semantics.

Removed p.PuedeVerDashboard from the global-access condition in GetAllowedAccountIds and the identical check in CanViewTitular within Atlas Balance/backend/src/GestionCaja.API/Controllers/ExtractosController.cs so global access now requires one of PuedeAgregarLineas, PuedeEditarLineas, PuedeEliminarLineas or PuedeImportar.
Updated Documentacion/DOCUMENTACION_CAMBIOS.md and Documentacion/LOG_ERRORES_INCIDENCIAS.md to record the fix and associated it with version V-01.02.
Preserved existing admin behavior and explicit per-CuentaId/TitularId permission handling.

Performed static verification and diffs using sed -n, git diff and file inspection to confirm the condition was updated and documentation entries were added, and committed the change.
Could not run dotnet build or dotnet test in this environment because dotnet is not available (command not found), so running dotnet test "Atlas Balance/backend/GestionCaja.sln" -c Release in an environment with the .NET SDK is pending.

Fix dashboard-only global access in extract scopes

fd0ca47

AtlasLabs797 added codex aardvark labels Apr 23, 2026 — with ChatGPT Codex Connector

Provide feedback