Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.
This repository was archived by the owner on May 29, 2026. It is now read-only.

[HIGH] H2: @PublicPage views endpoint leaks all tenants' draft views to anonymous users #334

Description

@rubenvdlinde

Severity: HIGH

Location: lib/Controller/ViewController.php lines 79–226; lib/Service/ViewService.php lines 309–334, 820, 1195

Description:
GET /api/views is @PublicPage and calls ObjectService::find with _rbac:false, _multitenancy:false. Anonymous requests therefore receive all tenants' views including drafts, bypassing both multitenancy isolation and publication-status filtering. This follows the same anti-pattern identified in opencatalogi issue #728.

Scenario:
An unauthenticated caller performs:

GET /api/views

Response includes draft and unpublished views from all tenants in the system.

Suggested fix:
Either:

  • Drop @PublicPage and require authentication, or
  • For anonymous access: add published === true filter AND pass _multitenancy:true to ObjectService::find so that only the current tenant's published views are returned.

Source: deep team-reviewer pass 2026-05-27

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions