Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.
This repository was archived by the owner on May 29, 2026. It is now read-only.

security: OrganisatieService parent-organisation RBAC scoping is disabled (hotfix left in place) #296

Description

@rubenvdlinde

Summary

The automatic parent-organisation linkage for newly created organisations has been deliberately disabled via a HOTFIX because it interacted badly with hierarchical RBAC filtering. Child organisations are no longer linked to their parent, which removes the parent-child scoping that the RBAC layer relies on. Surfaced during the 2026-05-24/25 retrofit reverse-spec work.

Location

lib/Service/OrganisatieService.php, createOrganisationEntityInternal(), lines 251-289 (HOTFIX docblock + commented-out parent assignment + createOrganisation() call without parent).

Observed behavior

/**
 * ...
 * HOTFIX: Parent organisation setting has been disabled due to RBAC issues.
 * Previously, new organisations were automatically set as children of the active organisation,
 * but this caused permission problems where users could not access newly created organisations.
 * TODO: Re-enable parent organisation setting after fixing RBAC logic.
 */
private function createOrganisationEntityInternal(...): \OCA\OpenRegister\Db\Organisation {
    // HOTFIX: Commented out automatic parent organisation setting due to RBAC issues.
    // When child organisations are created, the parent relationship causes permission problems.
    // ...
    // Disabled: $parentOrganisationUuid = $this->getActiveOrganisationUuid(organisationService: $organisationService).
    ...
    $organisationEntity = $organisationService->createOrganisation(
        name: (string) $mappedData['naam'],
        description: (string) ($mappedData['type'] ?? ''),
        addCurrentUser: false,
        uuid: $organizationUuid
        // NOTE: no parent passed
    );

Impact

OWASP A01 (Broken Access Control). The parent-organisation relationship is what scopes a child organisation under its parent's hierarchical RBAC. By creating every organisation with no parent, the intended hierarchical containment is bypassed:

  • New organisations are created flat / unscoped rather than under the active (parent) organisation, so the access boundary the hierarchy was meant to enforce is not applied.
  • This is a hotfix-shaped "disable the check to make the error go away" pattern; the underlying RBAC bug was never fixed, only routed around.

The exact exposure depends on how the RBAC layer treats parent-less organisations (whether flat == globally visible or flat == isolated) — that should be confirmed against OpenRegister's RBAC filtering before deciding severity, but either way the documented authorization model is not being enforced as designed.

Suggested fix

Restore the parent-organisation assignment. The HOTFIX was applied because the parent-child link caused "users could not access newly created organisations" — that is an RBAC-filtering bug in the access-grant path, not a reason to drop the relationship. Fix the underlying RBAC logic (e.g. ensure the creating user is granted access to the new child org) and re-enable parent linkage, rather than leaving the scoping disabled.

Source PR

#292

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingsecurity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions