Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(security): disable email-voting + ORI email leak + @self.id exposure (C2/C5/L1)#337

Merged
rubenvdlinde merged 1 commit into
developmentfrom
fix/pass2-email-voting-ori
May 28, 2026
Merged

fix(security): disable email-voting + ORI email leak + @self.id exposure (C2/C5/L1)#337
rubenvdlinde merged 1 commit into
developmentfrom
fix/pass2-email-voting-ori

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Summary

  • C2 (email-voting disabled) Remove MailReplyHandler from background-jobs in info.xml and stop scheduling it in Application::boot(). Email-voting is disabled until the feature is audited. Removes unused IJobList import.
  • C5 (ORI email leak) serializeOri() was including the email field for all resource types (meetings, motions, bodies). Email is now restricted to Organization-typed resources only.
  • L1 (@self.id public exposure) Fix id resolution in serializeOri() to use the entity's own uuid field first; @self.id is an internal OR reference and must not be surfaced via the public ORI API.
  • Pre-existing PHPStan: Fix Application.php DI registrations that were missing participantResolver (MinutesController/VotingService/LiveMeetingController), groupManager (TaskController/CommentController/MotionCoauthorController), container+groupManager (EngagementController), and had spurious groupManager on AnalyticsController.

Test plan

  • PHPCS: clean (0 errors)
  • PHPStan: clean (0 errors)
  • MailReplyHandler no longer appears in scheduled jobs after app enable
  • ORI /api/ori/{schema}/{id} for a governance-body does not expose email
  • ORI /api/ori/{schema}/{id} for an organization-schema resource DOES expose email
  • All controllers/services resolve correctly from the DI container

…ure (C2/C5/L1)

- C2: remove MailReplyHandler from background-jobs in info.xml and
  stop scheduling it in Application::boot() — email-voting is disabled
  until the feature is fully audited; removes unused IJobList import
- C5: restrict ORI email field to Organization-typed resources only;
  was previously included for all types (meetings, motions, bodies),
  leaking any email field present on those objects to the public API
- L1: fix serializeOri() id resolution to prefer entity uuid field over
  @self.id (internal OR metadata); @self.id must not be surfaced publicly
- Fix pre-existing PHPStan: Application.php DI registrations were missing
  participantResolver param for MinutesController/VotingService/
  LiveMeetingController, groupManager for TaskController/CommentController/
  MotionCoauthorController, container+groupManager for EngagementController,
  and had spurious groupManager on AnalyticsController
@rubenvdlinde rubenvdlinde merged commit 8e8f6df into development May 28, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant