psa-systems/mokosh-apps
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(time): enforce user_id ownership on time-entry stop/update/delete #123

Merged
David merged 2 commits from fix/mapps-136-time-entry-ownership-guard into main 2026-06-13 13:39:20 +02:00
Conversation 0 Commits 2 Files changed 2 +39 -12
David commented 2026-06-13 07:34:15 +02:00
Owner
Copy link

The stop_timer, update_time_entry, and delete_time_entry routes scoped writes by tenant_id and id only, letting any user in a tenant stop, tamper with, or delete a colleague's timer or entry (same-tenant IDOR). The routes now derive an owner guard of Some(user.id) for non-admins and None for admins, threaded into each service call. The SQL predicate AND ($N::uuid IS NULL OR user_id = $N) skips the check for admins (None) and otherwise restricts the write to rows the caller owns, so a non-owner gets the existing not-found path rather than mutating another user's row.

#MAPPS-136

The stop_timer, update_time_entry, and delete_time_entry routes scoped writes by tenant_id and id only, letting any user in a tenant stop, tamper with, or delete a colleague's timer or entry (same-tenant IDOR). The routes now derive an owner guard of Some(user.id) for non-admins and None for admins, threaded into each service call. The SQL predicate AND ($N::uuid IS NULL OR user_id = $N) skips the check for admins (None) and otherwise restricts the write to rows the caller owns, so a non-owner gets the existing not-found path rather than mutating another user's row. #MAPPS-136
fix(time): enforce user_id ownership on time-entry stop/update/delete
All checks were successful
Check / clippy + fmt + tests (pull_request) Successful in 51s
Details
b2971c467d 
The stop_timer, update_time_entry, and delete_time_entry routes scoped writes by tenant_id and id only, letting any user in a tenant stop, tamper with, or delete a colleague's timer or entry (same-tenant IDOR). The routes now derive an owner guard of Some(user.id) for non-admins and None for admins, threaded into each service call. The SQL predicate AND ($N::uuid IS NULL OR user_id = $N) skips the check for admins (None) and otherwise restricts the write to rows the caller owns, so a non-owner gets the existing not-found path rather than mutating another user's row.

#MAPPS-136
Merge branch 'main' into fix/mapps-136-time-entry-ownership-guard
All checks were successful
Create release / Create release from merged PR (pull_request) Has been skipped
Details
Check / clippy + fmt + tests (pull_request) Successful in 57s
Details
f907232751
David merged commit cac3e3bd91 into main 2026-06-13 13:39:20 +02:00
David deleted branch fix/mapps-136-time-entry-ownership-guard 2026-06-13 13:39:21 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
psa-systems/mokosh-apps!123
No description provided.