search

mpociot / teamwork

User to Team associations with invitation system for the Laravel 5 Framework
MIT License
1.07k stars 170 forks source link

Security issues #104

Closed o7n closed 2 years ago

o7n commented 5 years ago

There are several security issues in the controller code. Three methods need

    if (!auth()->user()->isOwnerOfTeam($team)) {
        abort(403);
    }

below the line

    $team = $teamModel::findOrFail($team_id);

TeamMemberController->invite() has already been discussed in issue #53 and this could be subjective. However TeamController->update() does not check for ownership. Neither does TeamMemberController->show() so all members of a team are exposed to anyone.

I can understand that some people would want to allow the first and third case, but it would be better to make this secure-by-default where people who do want to allow it, can remove the check,

mukoladeath commented 5 years ago

Yes, you are right about these issues. In some cases it can also be useful.

for TeamMemberController->show() and TeamMemberController->invite()

        if (!auth()->user()->teams->contains($team)) {
            abort(403);
        }

Therefore, if you are a member of several groups, you can see your friends and send invitations to new users. But for the invitation, I agree that this may be subjective, maybe someone does not mind that members can invite new members to the team of owner or vice versa

github-actions[bot] commented 2 years ago

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] commented 2 years ago

This issue was closed because it has been inactive for 14 days since being marked as stale.