Skip to content

Secure user-scoped endpoints by validating attendee ownership#256

Open
oPeras1 wants to merge 2 commits intosinfo:masterfrom
oPeras1:fix-authorization-link
Open

Secure user-scoped endpoints by validating attendee ownership#256
oPeras1 wants to merge 2 commits intosinfo:masterfrom
oPeras1:fix-authorization-link

Conversation

@oPeras1
Copy link
Copy Markdown

@oPeras1 oPeras1 commented Apr 21, 2026

Fix an insecure direct object reference vulnerability in attendee link endpoints where user-scoped routes allowed operations on arbitrary attendeeId/companyId values without verifying ownership.

Several endpoints accept user-controlled identifiers from request parameters and perform actions without confirming that the authenticated user is authorized to access or modify the target attendee’s data.

Copilot AI review requested due to automatic review settings April 21, 2026 12:24
Copilot AI reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses an insecure direct object reference (IDOR) in attendee-scoped link endpoints by enforcing that user-scoped requests can only operate on the authenticated attendee’s own attendeeId, while preserving existing elevated access for team/admin.

Changes:

  • Added checkAttendeeAccess(credentials, attendeeId) and registered it as a server method.
  • Enforced attendee ownership checks across attendee link CRUD/list handlers (/users/{attendeeId}/link*).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
server/routes/link/handlers.js Adds ownership checks before performing attendee link operations.
server/resources/link.js Introduces and registers link.checkAttendeeAccess used by the routes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread server/resources/link.js Outdated
Comment thread server/routes/link/handlers.js
Comment on lines 76 to 79
const edition = await request.server.methods.deck.getLatestEdition()
await request.server.methods.link.checkAttendeeAccess(request.auth.credentials, request.params.attendeeId)
await request.server.methods.link.checkCompany(request.payload.userId, request.payload.companyId, edition.id)
let link = await request.server.methods.link.create(request.params.attendeeId, request.payload, "attendee", edition.id)
Copy link

Copilot AI Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change introduces new authorization behavior for user-scoped attendee link endpoints, but there doesn’t appear to be test coverage for the /users/{attendeeId}/link* routes. Please add tests that assert a user cannot create/get/list/update/delete links for a different attendeeId (expect 403), while team/admin can still access as intended.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Author

@oPeras1 oPeras1 Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wont do, exercicio para o leitor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@oPeras1