Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(security): resolve CRITICAL IDOR, DoS, and OR-API drift — #319-#323#343

Open
rubenvdlinde wants to merge 1 commit into
developmentfrom
fix/critical-c1-c5-idor-dos-or-api
Open

fix(security): resolve CRITICAL IDOR, DoS, and OR-API drift — #319-#323#343
rubenvdlinde wants to merge 1 commit into
developmentfrom
fix/critical-c1-c5-idor-dos-or-api

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Summary

Pre-existing fixes: ActionAuthService REQ-TMPL-013 violation fixed; missing use OCP\AppFramework\Http in ManifestController fixed. Test suite drift in 11 admin controller tests resolved (constructor signatures + #[AuthorizedAdminSetting] middleware pattern).

Test plan

  • All 1037 unit tests pass
  • PHPStan level-5 clean (68 pre-existing errors baselined)
  • New tests: DashboardTreeServiceTest (2 C1), DashboardLockServiceTest (2 C3), RuleApiControllerSecurityTest (6 C4)

Closes #319, #320, #321, #322, #323

-#323)

C1 (#319): GET /api/dashboards/tree now filters by user-visible UUIDs via
  DashboardTreeService::getFilteredTree() — cross-user enumeration blocked.

C2 (#320): GET /api/dashboards/by-path/{path} now calls
  PermissionService::canViewDashboard() after slug resolution; returns 404
  on access denial to prevent slug enumeration.

C3 (#321): DashboardLockService::acquireLock() and heartbeat() now check
  PermissionService::canViewDashboard() before acquiring; controller maps
  LockForbiddenException to HTTP 403.

C4 (#322): RuleApiController::updateRule() and deleteRule() now load the
  rule first, then call PermissionService::verifyPlacementOwnership() before
  any mutation; ConditionalService gains a public findRule() method.

C5 (#323): ManifestController replaces the non-existent
  ObjectService::findObjects() with the real findAll() API — manifests now
  populate correctly when OpenRegister is active.

Pre-existing: ActionAuthService REQ-TMPL-013 violation fixed (route through
  AdminTemplateService::getUserGroupIdsFor instead of direct IGroupManager
  call). Missing Http import in ManifestController fixed.

Pre-existing test suite drift also resolved: admin controller tests updated
  to match constructors and #[AuthorizedAdminSetting] middleware pattern
  (groupManager parameters removed, middleware-guard assertions removed,
  ResourceController/ResourceServeController split reconciled).

All 1037 unit tests pass; phpstan level-5 clean (68 pre-existing baselined).
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant