Fix three critical authorization vulnerabilities
mark-printed: was only checking the first check's account — now fetches all check IDs upfront, verifies they all exist and share the same account, then checks editor access once on that account. PDF generation: was authorizing against the client-supplied account_id but fetching checks by ID without confirming they belong to that account — now rejects any check ID whose account_id doesn't match. Role/account-assignment changes: active sessions for the affected user are now deleted immediately via json_extract on the sessions table, so demotions take effect at once rather than at session expiry (up to 7d).
This commit is contained in:
@@ -95,6 +95,13 @@ router.put('/:id', async (req, res) => {
|
||||
}
|
||||
}
|
||||
|
||||
// If role or account assignments changed, invalidate all active sessions for this user
|
||||
// so the new permissions take effect immediately rather than at session expiry.
|
||||
if (role || Array.isArray(accounts)) {
|
||||
db.prepare("DELETE FROM sessions WHERE CAST(json_extract(sess, '$.userId') AS INTEGER) = ?")
|
||||
.run(parseInt(req.params.id, 10));
|
||||
}
|
||||
|
||||
res.json(userWithAccounts(req.params.id));
|
||||
});
|
||||
|
||||
|
||||
Reference in New Issue
Block a user