Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(security): cross-tenant IDOR — authorization blocks + owner field#276

Merged
rubenvdlinde merged 1 commit into
developmentfrom
fix/critical-cross-tenant-idor-owner-rbac
May 27, 2026
Merged

fix(security): cross-tenant IDOR — authorization blocks + owner field#276
rubenvdlinde merged 1 commit into
developmentfrom
fix/critical-cross-tenant-idor-owner-rbac

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Summary

What changed

File Change
lib/Settings/planix_register.json authorization on project/task/column/timeEntry; owner field on project; publicRead/Write: false on register; register version 0.2.0 → 0.2.1; info version → 0.2.3
lib/Migration/Version20260403000000.php Docblock corrected — removes the publicWrite: true claim
tests/unit/Settings/PlanixRegisterSchemaTest.php 7 new mechanical regression tests asserting the security properties

Test plan

  • All 7 new tests in PlanixRegisterSchemaTest pass (phpunit --configuration phpunit-unit.xml)
  • Verified 19 total tests, 71 assertions; only 11 pre-existing OCP-mock errors remain (require Nextcloud container)
  • PHPCS passes on all three changed files (0 errors)
  • JSON validated via python3 -m json.tool planix_register.json

Closes #257
Closes #258
Closes #259

…ross-tenant IDOR

Fixes #257 (IDOR: any authenticated user could read/write all projects/tasks),
#258 (missing owner field blocked creator-based RBAC), and #259 (migration
docblock claimed publicWrite:true contradicting the membership-access spec).

Changes:
- planix_register.json: add `authorization` blocks to project, task, column,
  and timeEntry schemas enforcing member-based row-level read/write filtering;
  project delete restricted to owner or admin; timeEntry write restricted to
  the logging user. Add explicit `publicRead: false` and `publicWrite: false`
  to the register block. Add `owner` field to project schema for creator RBAC.
  Bump register version 0.2.0 -> 0.2.1, info version -> 0.2.3.
- Version20260403000000.php: correct misleading docblock that claimed
  publicWrite:true — the intent is and has always been publicWrite:false.
- tests/unit/Settings/PlanixRegisterSchemaTest.php: 7 new tests that
  mechanically assert the security properties introduced above, acting as
  regression guards so the IDOR cannot silently reopen.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant