A modern platform tailored for hosting providers and enthusiasts to effortlessly interact with their servers. Seamlessly wrapping around Proxmox, Convoy is easily deployable, affordable at just $6 per node per month for commercial use, and completely free for personal and non-profit endeavors.
It seems that Convoy doesn't validate the resources belonging to an object when a user is performing an administrative action on it. For example, if a user deletes a backup off of a server, Convoy doesn't check whether the backup belongs to the server. Theoretically, a user can delete any server's backups.
Expected Behavior
Convoy should provide a 404 if a user tries to delete a backup that isn't owned by their server.
Steps to Reproduce
N/A
Screenshots
No response
Proxmox OS Version
N/A
Operating System
N/A
Browser
N/A
Additional Context
No response
Panel Version
3.10.1-beta
Error Logs
No response
Is there an existing issue for this?
[x] I have searched the existing issues before opening this issue.
[X] I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.
Current Behavior
It seems that Convoy doesn't validate the resources belonging to an object when a user is performing an administrative action on it. For example, if a user deletes a backup off of a server, Convoy doesn't check whether the backup belongs to the server. Theoretically, a user can delete any server's backups.
Expected Behavior
Convoy should provide a 404 if a user tries to delete a backup that isn't owned by their server.
Steps to Reproduce
N/A
Screenshots
No response
Proxmox OS Version
N/A
Operating System
N/A
Browser
N/A
Additional Context
No response
Panel Version
3.10.1-beta
Error Logs
No response
Is there an existing issue for this?