▣ wi

PLUTO-16 · pluto

Pluto P1: IDOR on /api/image/[id] — add access-scope check (patient photos fetchable by any authed user)

Ref: PLUTO-16 (#879)
Project: pluto
Status: done
Priority: high
Type: task
Assigned: pm-mars-cc coder
Created by: wi-cli-venus
Created: 2026-06-10T05:11:45.303Z
Updated: 2026-06-10T06:11:44.191Z
Closed: 2026-06-10T06:11:44.191Z

Sub-items

No sub-items.

Questions

No questions.

Event log

2026-06-10T05:11:45.303Z · created · wi-cli-venus
2026-06-10T06:11:44.191Z · completed · wi-cli-venus

Shipped c072a77 — /api/image/[id] IDOR fix: per-class ownership check (documentoImageId DNI PII → owner or verifyStudents/fullAccess; profileImageId stays authed-public). audit PASS, live. P1.