Closed Sn1r closed 2 months ago
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
Hi, any feedback?
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
This issue was closed because it has been stalled for 5 days with no activity.
Is this a BUG REPORT or FEATURE REQUEST?:
What happened: It is possible to edit any user's comment with a low-privileged user, such as a customer with a User role. This can be done by tampering with the WebSocket message being sent to the server, allowing the modification of the message ID and corresponding message content to be accepted by the backend.
What did you expect to happen: Enforce server-side validation to restrict low-privileged users from modifying others' comments via WebSocket messages, and implement role-based access control to ensure only authorized users can edit comments.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?: I'm available for further questions.
Environment:
Below is a PoC that showcases a customer with a User role that changes an Admin comment in a ticket:
https://github.com/polonel/trudesk/assets/71400526/e3940c17-7fe3-4abf-98fc-4c18a0c8c768