Skip to content

filtering out the staff details to non-staff roles hence fixing insec… #465

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
atharv2-git wants to merge 1 commit into from
Closed

filtering out the staff details to non-staff roles hence fixing insec… #465

atharv2-git wants to merge 1 commit into from

Conversation

@atharv2-git
Copy link

@atharv2-git atharv2-git commented Jun 20, 2025
edited
Loading

Base Branch: 9.x

Note: This PR is made to doubtfire-lms/doubtfire-api as an upstream contribution to resolve the IDOR vulnerability, after peer reviews, AppAttack verification, and mentor approval.

Description

This PR resolves an Insecure Direct Object Reference (IDOR) vulnerability where non-privileged users (such as students) could access sensitive staff-related data (e.g., main_convenor_id, tutor_id, email, full_name) through the /api/units/:id endpoint.

Access to these fields is now strictly role-based, ensuring that only authorized users (e.g., staff, convenors, admin, tutor) can access privileged information.

Reference PRs

Root Cause

The exposure originated in the Entities::UnitEntity class, which serializes backend models to JSON for API responses. It previously lacked role checks for sensitive fields, allowing information leakage to unauthorized users.

Fix Summary

  • Introduced role-based filtering logic in UnitEntity to conditionally expose:
    • :staff
    • :main_convenor_id
    • :tutor_id
    • :email
    • :overseer_image_id
  • Ensured correct access enforcement without breaking front-end communication or staff privileges.

Validation Summary

  • Validated via Postman with different user roles (Student, Convenor, Admin).
  • Students can no longer view restricted fields in /api/units/:id or related endpoints.
  • Staff can still access appropriate data required for unit coordination and oversight.
  • Screenshots confirming before-and-after behavior included below:

Before: Student Accessing Staff Data

Student Access - Before

After: Staff Data Hidden from Students

Student Access - After

After: Convenor Access Confirmed

Convenor Access - After

Peer Review & Approval

Type of Change

  • Security fix (non-breaking)
  • Refactor (minor backend improvement)

How Has This Been Tested?

  • Verified API responses via Postman with different roles
  • Manually tested /api/units/:id and /api/unit_roles
  • Ensured no regression in app functionality for staff and tutors
  • Confirmed correct behavior across session and role transitions

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have commented relevant logic where needed
  • I have made corresponding documentation updates
  • I have linked this upstream PR to prior internal work and testing documentation

@atharv02-git atharv02-git mentioned this pull request Jun 20, 2025
Open
11 tasks
@b0ink
Copy link
Member

b0ink commented Dec 3, 2025

It’s generally not an issue, as most students already have staff email accounts via the university’s unit site.

@b0ink b0ink closed this Dec 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@atharv2-git @b0ink