Follow-up from the GET PII-masking change.
Masking hides Person/Address in the response, but list endpoints filter on the unmasked DB columns (getAgentWhere street/search, getVolunteerWhere search, getOpportunityWhere, etc.). A non-privileged caller can therefore infer a hidden value by probing search patterns and seeing which (masked) rows match.
Also: PII embedded in free-text (e.g. legacy <|> contact comments, communication notes) isn't reached by entity-level masking.
Proposed: for non-privileged roles, scope/disable the searchable filters (or apply the same visibility scoping to the query WHERE), and consider redacting known free-text PII. // SECURITY: markers added at the filter sites.
🤖 Generated with Claude Code
Follow-up from the GET PII-masking change.
Masking hides Person/Address in the response, but list endpoints filter on the unmasked DB columns (
getAgentWherestreet/search,getVolunteerWheresearch,getOpportunityWhere, etc.). A non-privileged caller can therefore infer a hidden value by probing search patterns and seeing which (masked) rows match.Also: PII embedded in free-text (e.g. legacy
<|>contact comments, communication notes) isn't reached by entity-level masking.Proposed: for non-privileged roles, scope/disable the searchable filters (or apply the same visibility scoping to the query
WHERE), and consider redacting known free-text PII.// SECURITY:markers added at the filter sites.🤖 Generated with Claude Code