From 5ba1657e00475a011d8828c4721c9e28fbdf3d9a Mon Sep 17 00:00:00 2001 From: lebaudantoine Date: Sat, 7 Feb 2026 23:52:08 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=A7=AA(backend)=20add=20test=20exposing?= =?UTF-8?q?=20rooms=20permission=20flaw=20in=20external=20API?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a failing test demonstrating that a user can retrieve a room they do not have access to when the room UUID is known. This highlights an improper object-level permission verification in the external API. While exploitation requires obtaining the target room UUID, this still represents a security issue (BOLA / IDOR class vulnerability) and must be fixed. The test documents the expected behavior and will pass once proper access filtering or permission checks are enforced. --- .../core/tests/test_external_api_rooms.py | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/src/backend/core/tests/test_external_api_rooms.py b/src/backend/core/tests/test_external_api_rooms.py index 5697d6d1..6fa8cf0d 100644 --- a/src/backend/core/tests/test_external_api_rooms.py +++ b/src/backend/core/tests/test_external_api_rooms.py @@ -212,6 +212,38 @@ def test_api_rooms_retrieve_success(settings): } +def test_api_rooms_retrieve_success_by_user(settings): + """Retrieve should only return rooms accessible to the authenticated user.""" + settings.APPLICATION_JWT_SECRET_KEY = "devKey" + + user1 = UserFactory() + user2 = UserFactory() + + room1 = RoomFactory(users=[(user1, RoleChoices.OWNER)]) + room2 = RoomFactory(users=[(user2, RoleChoices.OWNER)]) + room3 = RoomFactory(users=[(user1, RoleChoices.MEMBER)]) + + token = generate_test_token(user1, [ApplicationScope.ROOMS_RETRIEVE]) + + client = APIClient() + client.credentials(HTTP_AUTHORIZATION=f"Bearer {token}") + response = client.get(f"/external-api/v1.0/rooms/{room2.id}/") + + assert response.status_code == 403 + + client = APIClient() + client.credentials(HTTP_AUTHORIZATION=f"Bearer {token}") + response = client.get(f"/external-api/v1.0/rooms/{room1.id}/") + + assert response.status_code == 200 + + client = APIClient() + client.credentials(HTTP_AUTHORIZATION=f"Bearer {token}") + response = client.get(f"/external-api/v1.0/rooms/{room3.id}/") + + assert response.status_code == 200 + + def test_api_rooms_create_requires_scope(settings): """Creating a room requires ROOMS_CREATE scope.""" settings.APPLICATION_JWT_SECRET_KEY = "devKey"