search

ConvoyPanel / panel

A modern platform tailored for hosting providers and enthusiasts to effortlessly interact with their servers. Seamlessly wrapping around Proxmox, Convoy is easily deployable, affordable at just $6 per node per month for commercial use, and completely free for personal and non-profit endeavors.
https://convoypanel.com
Other
308 stars 51 forks source link

Users Can Modify API Resources Belonging to Others #56

Closed ericwang401 closed 7 months ago

ericwang401 commented 7 months ago

Current Behavior

It seems that Convoy doesn't validate the resources belonging to an object when a user is performing an administrative action on it. For example, if a user deletes a backup off of a server, Convoy doesn't check whether the backup belongs to the server. Theoretically, a user can delete any server's backups.

Expected Behavior

Convoy should provide a 404 if a user tries to delete a backup that isn't owned by their server.

Steps to Reproduce

N/A

Screenshots

No response

Proxmox OS Version

N/A

Operating System

N/A

Browser

N/A

Additional Context

No response

Panel Version

3.10.1-beta

Error Logs

No response

Is there an existing issue for this?

ericwang401 commented 7 months ago

Resolved in 375e33830976bf643daa20fa0b322b48f1578689