If a user had been in one organization, and happened to save the UUID of a ReviewObject document, but then is moved to a different organization (and has admin access there), then the user can leverage GET /review/byUUID/:uuid to see the current content of that ReviewObject document. For example, a former employee may be able to monitor ongoing negotiations between their former employer and the Secretariat. This occurs because access control does not check the relationship between the caller's organization and the target_object_uuid property.
If a user had been in one organization, and happened to save the UUID of a ReviewObject document, but then is moved to a different organization (and has admin access there), then the user can leverage
GET /review/byUUID/:uuidto see the current content of that ReviewObject document. For example, a former employee may be able to monitor ongoing negotiations between their former employer and the Secretariat. This occurs because access control does not check the relationship between the caller's organization and the target_object_uuid property.