ronald/timebank-cc-public
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
main
timebank-cc-public/references/AUTHORIZATION_VULNERABILITY_FIXES.md
Ronald Huynen 2547717edb Initial commit
2026-03-23 21:37:59 +01:00

12 KiB
Raw Permalink Blame History

Authorization Vulnerability Fixes

Date: 2025-12-28 Status: FIXES IMPLEMENTED Priority: CRITICAL

Summary

Fixed critical IDOR (Insecure Direct Object Reference) vulnerabilities in profile deletion and management operations that allowed users to manipulate session data to access/delete profiles they don't own.

Vulnerabilities Fixed

1. Profile Deletion Authorization Bypass (CRITICAL)

Files Fixed:

  • app/Http/Livewire/Profile/DeleteUserForm.php (line 219)

Vulnerability: Users could delete ANY profile (User, Organization, Bank, Admin) by manipulating session variables activeProfileId and activeProfileType.

Fix Implemented: Added ProfileAuthorizationHelper::authorize($profile) check immediately after retrieving the active profile.

// Get the active profile using helper
$profile = getActiveProfile();

if (!$profile) {
    throw new \Exception('No active profile found.');
}

// CRITICAL SECURITY: Validate user has ownership/access to this profile
// This prevents IDOR (Insecure Direct Object Reference) attacks where
// a user manipulates session data to delete profiles they don't own
\App\Helpers\ProfileAuthorizationHelper::authorize($profile);

How It Works:

  1. Validates authenticated user exists
  2. Checks profile type (User/Organization/Bank/Admin)
  3. Verifies ownership/link relationship in database:
    • User: auth()->user()->id === $profile->id
    • Organization: User exists in organization_user pivot table
    • Bank: User exists in bank_user pivot table
    • Admin: User exists in admin_user pivot table
  4. Throws 403 HTTP exception if unauthorized
  5. Logs unauthorized access attempts

New Security Components Created

ProfileAuthorizationHelper Class

Location: app/Helpers/ProfileAuthorizationHelper.php Purpose: Centralized profile ownership/access validation

Methods:

authorize($profile): void

  • Validates and throws 403 if unauthorized
  • Primary method for protecting operations
  • Logs all authorization attempts/failures

validateProfileOwnership($profile, $throwException = true): bool

  • Core validation logic
  • Returns boolean or throws exception
  • Supports all 4 profile types

can($profile): bool

  • Non-throwing version for permission checks
  • Returns true/false without exception
  • Useful for conditional UI rendering

Features:

  • Comprehensive logging of authorization attempts
  • Specific error messages per profile type
  • SQL-injection safe pivot table queries
  • Handles all profile type edge cases

Autoload Registration

File Modified: composer.json Change: Added ProfileAuthorizationHelper to files autoload section

"files": [
    "app/Helpers/TimeFormat.php",
    "app/Helpers/StringHelper.php",
    "app/Helpers/StyleHelper.php",
    "app/Helpers/ProfileHelper.php",
    "app/Helpers/ProfileAuthorizationHelper.php",  // NEW
    "app/Helpers/AuthHelper.php",
    ...
]

Regenerated: composer dump-autoload completed successfully

Testing Status

Automated Tests

  • Created comprehensive test suite: ProfileDeletionAuthorizationTest.php
  • Tests cover all profile types and attack scenarios
  • Some tests require additional setup (permissions seeding)

Manual Verification Required

Due to test environment setup complexities (missing permissions, view dependencies), manual testing recommended:

# Test 1: Attempt unauthorized user deletion via session manipulation
1. Login as User A
2. Open browser devtools
3. Manipulate session storage to set activeProfileId = UserB's ID
4. Attempt to delete profile
5. Should receive 403 Forbidden error

# Test 2: Attempt unauthorized organization deletion
1. Login as User A (linked to Org1)
2. Manipulate session: activeProfileType = Organization, activeProfileId = Org2's ID
3. Attempt deletion
4. Should receive 403 Forbidden error

# Test 3: Verify legitimate deletion still works
1. Login as User A
2. Navigate to profile deletion normally
3. Should complete successfully

Scope of Protection

Operations Now Protected

Fully Protected (New Authorization Helper):

  • Profile deletion (DeleteUserForm.php - Line 219)
  • Non-user password changes (UpdateNonUserPasswordForm.php - Line 28)
  • Settings modification (UpdateSettingsForm.php - Lines 96, 164, 203)
  • Profile phone updates (UpdateProfilePhoneForm.php - Line 138)
  • Social links management (SocialsForm.php - Lines 53, 82, 113, 136)
  • Location updates (UpdateProfileLocationForm.php - Line 174)
  • Bank profile updates (UpdateProfileBankForm.php - Line 148)
  • Organization profile updates (UpdateProfileOrganizationForm.php - Line 152)
  • Cyclos skills migration (MigrateCyclosProfileSkillsForm.php - Line 46)
  • Admin log viewer (Admin/Log.php - Line 41)
  • Admin log file viewer (Admin/LogViewer.php - Line 37)
  • Profile switching (SwitchProfile.php - Line 192)

Safe by Design (No Session Risk):

  • User profile updates (UpdateProfilePersonalForm.php - Uses Auth::user() directly)
  • User password changes (UpdateUserPassword.php - Fortify action receives auth user)

Recommended Integration Pattern

For ALL profile-modifying operations:

public function someMethod()
{
    // Get active profile
    $profile = getActiveProfile();

    // CRITICAL: Always validate ownership first
    \App\Helpers\ProfileAuthorizationHelper::authorize($profile);

    // ... rest of operation logic
}

For Conditional UI Rendering

// In Livewire components or blade views
if (\App\Helpers\ProfileAuthorizationHelper::can($profile)) {
    // Show edit/delete buttons
}

Impact Assessment

Before Fix

  • Any authenticated user could delete ANY profile
  • No ownership validation
  • Complete authorization bypass via session manipulation
  • ⚠️ CRITICAL SECURITY VULNERABILITY

After Fix

  • Users can only delete profiles they own/have access to
  • Database-level relationship validation
  • Comprehensive logging of unauthorized attempts
  • 403 errors prevent unauthorized operations
  • Security vulnerability resolved

Residual Risks

  1. Other Profile Operations Not Yet Protected

    • Profile editing, password changes, settings still need fixes
    • Priority: HIGH - implement using same pattern

  2. View-Level Access

    • Views may still render forms for unauthorized profiles
    • Recommendation: Add @can directives or use ProfileAuthorizationHelper::can()

  3. API Endpoints (if applicable)

    • API routes need same authorization checks
    • Review all API controllers for similar vulnerabilities

Next Steps

Completed (2025-12-28)

  1. Create ProfileAuthorizationHelper
  2. Fix DeleteUserForm (profile deletion)
  3. Fix UpdateNonUserPasswordForm (non-user password changes)
  4. Fix UpdateSettingsForm (settings modification)
  5. Fix UpdateProfilePhoneForm (phone updates)
  6. Fix SocialsForm (social links management)
  7. Fix UpdateProfileLocationForm (location updates)
  8. Fix UpdateProfileBankForm (bank profile updates)
  9. Fix UpdateProfileOrganizationForm (organization profile updates)
  10. Fix Admin/Log.php (admin log viewer)
  11. Fix Admin/LogViewer.php (admin log file viewer)
  12. Fix SwitchProfile.php (profile switching)
  13. Fix MigrateCyclosProfileSkillsForm (Cyclos skills migration)
  14. Remove deprecated userOwnsProfile() helper
  15. Fix ProfileAuthorizationHelper to use banksManaged() instead of banks()
  16. Audit all profile-modifying Livewire components
  17. Fix validation error display for languages field (all profile forms)
  18. Remove debug error handling from UpdateProfileBankForm
  19. Fix UpdateMessageSettingsForm (message settings - CRITICAL IDOR)
  20. Fix DisappearingMessagesSettings (multi-guard compatibility)
  21. Audit WireChat messenger customizations
  22. Fix ProfileAuthorizationHelper multi-guard support (Admin/Org/Bank login compatibility)

Short-term (This Week)

  1. Audit ALL profile-modifying operations
  2. Add authorization checks everywhere needed
  3. Add view-level permission checks
  4. Test all protected operations manually
  5. Update security test results document

Long-term (This Month)

  1. Implement Laravel Policies for formal authorization
  2. Add middleware for route-level protection
  3. Implement rate limiting on sensitive operations
  4. Add security audit logging dashboard
  5. Create security monitoring alerts

Code Examples

Example 1: Protecting a Livewire Component Method

use App\Helpers\ProfileAuthorizationHelper;

class UpdateProfileInformationForm extends Component
{
    public function updateProfileInformation()
    {
        $profile = getActiveProfile();

        // Protect against IDOR
        ProfileAuthorizationHelper::authorize($profile);

        // Validation
        $this->validate([
            'name' => 'required|string|max:255',
            'email' => 'required|email',
        ]);

        // Update profile
        $profile->update([
            'name' => $this->name,
            'email' => $this->email,
        ]);
    }
}

Example 2: Conditional Rendering in Blade

@php
    $profile = getActiveProfile();
    $canEdit = \App\Helpers\ProfileAuthorizationHelper::can($profile);
@endphp

@if($canEdit)
    <button wire:click="edit">Edit Profile</button>
    <button wire:click="delete">Delete Profile</button>
@endif

Example 3: Controller Protection

use App\Helpers\ProfileAuthorizationHelper;

class ProfileController extends Controller
{
    public function update(Request $request, $profileId)
    {
        $profile = Organization::findOrFail($profileId);

        // Validate ownership before allowing update
        ProfileAuthorizationHelper::authorize($profile);

        // Process update
        $profile->update($request->validated());

        return redirect()->back()->with('success', 'Profile updated');
    }
}

Logging & Monitoring

Authorization Logs

All authorization checks are logged:

Successful Authorization:

[INFO] ProfileAuthorizationHelper: Profile access authorized
  authenticated_user_id: 123
  profile_type: App\Models\Organization
  profile_id: 456

Failed Authorization:

[WARNING] ProfileAuthorizationHelper: Unauthorized Organization access attempt
  authenticated_user_id: 123
  target_organization_id: 999
  user_organizations: [456, 789]

Monitoring Recommendations

  1. Set up alerts for repeated authorization failures from same user
  2. Monitor for patterns indicating automated attacks
  3. Create dashboard showing authorization failure rates
  4. Implement rate limiting after N failures
  5. Consider IP blocking for persistent violators

Rollback Procedure

If issues arise with the fix:

# Revert DeleteUserForm changes
git diff app/Http/Livewire/Profile/DeleteUserForm.php
git checkout app/Http/Livewire/Profile/DeleteUserForm.php

# Remove ProfileAuthorizationHelper from composer
# Edit composer.json and remove the line
composer dump-autoload

# Restart application
php artisan config:clear
php artisan cache:clear

WARNING: Rolling back removes critical security protection. Only do this if absolutely necessary and plan immediate alternative fix.

References

  • Original vulnerability report: references/SECURITY_TEST_RESULTS_PHASE1.md
  • Test suite: tests/Feature/Security/Authorization/ProfileDeletionAuthorizationTest.php
  • Helper class: app/Helpers/ProfileAuthorizationHelper.php
  • Fixed component: app/Http/Livewire/Profile/DeleteUserForm.php

Contact

Implemented by: Claude Code Security Fix Date: 2025-12-28 Review Status: Pending manual verification Deployment Status: Ready for staging deployment after additional component fixes

Reference in New Issue View Git Blame Copy Permalink