fix(event): close attendee-management IDOR on delete/update routes#587
Merged
Conversation
The DELETE/PATCH /events/:slug/attendees/:attendeeId routes had their @permissions(ManageAttendees) decorator commented out (since #235, May 2025), so PermissionsGuard fell through (no metadata => allow) and any authenticated user could delete or mutate any attendee by id. - Re-enable @permissions(ManageAttendees) on both routes - Route delete through EventManagementService for event-scoping - Add findEventAttendeeScopedToEvent() and verify the attendee belongs to :slug before update/delete (defense-in-depth vs cross-event IDOR) - Add e2e regression spec (RED proven against live API) WIP: GREEN e2e run still pending (running API serves main worktree). Controller unit spec passes (30/30).
Adds a 5th scenario: a group admin who did NOT create the event can still manage attendees on group events (the CRMC multi-admin pattern). Ensures the IDOR fix doesn't regress group-level MANAGE_EVENTS grants.
Skip getGroupMembers call (403 in CI) and pass the joinGroup membership ID directly to updateGroupMemberRole. Verified locally: CRMC scenario passes, IDOR tests correctly fail against unfixed main.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
@Permissions(ManageAttendees)decorator on PATCH and DELETE attendee routes (commented out since Tom/crmc #235, May 2025)EventManagementServicewith event-scoping, preventing cross-event IDORfindEventAttendeeScopedToEvent()defense-in-depth: verifies attendee belongs to the target event before any mutationSecurity
Any authenticated user could delete or mutate any attendee record by ID, regardless of event ownership or role. The permission guard was bypassed because the decorator was commented out.
Group admin compatibility
The
PermissionsGuardmulti-layer check is preserved: group admins withMANAGE_EVENTSstill pass through for group-hosted events (the CRMC multi-admin pattern). A dedicated e2e test pins this.Test plan
test/event-attendees/attendee-authorization.e2e-spec.ts) - 5 scenarios:Closes om-ct4o