Last week, as part of our regular security audits and penetration testing, we found a bug where users with permissions that allowed access to the decisions listing page —but with no "permitted" statuses configured in decision settings—were able to see all decisions on the listing page, even though they weren't able to interact with the decisions themselves. This has been a long-standing "bug" in the platform.
On Friday afternoon, our team deployed a fix to close this loophole. However, as it turns out, many, if not most, of our schools using decisions were relying on this setup as a "view only" feature, which the update broke.
After hearing how our partners are actually using this particular configuration, we've decided to revert the fix and let this long-standing behavior remain the feature you've all been using it as.
As always, if you want users not to have any access to the decisions listing page, you can restrict that using the Access Decisions permission.
We apologize for any inconvenience this caused and want you to know the change was made with the best of intentions. Your feedback, as always, is appreciated — and it played a key role in our decision to revert this change.