[P0] Security: Fix authorization bypass in reorderCharacterPinLinks
Severity
- Priority: P0
- Type: Security
- Estimation: 2 hours
Problem
The reorderCharacterPinLinks Server Action (if exists) or similar link reordering functions only authenticate the user without verifying ownership of the character-pin relations being reordered.
Impact
- Any authenticated user can modify the order of character-pin links belonging to other users
- Disrupts workflow and data integrity of other users' worlds
- Multi-tenancy isolation violation
Files Affected
src/features/characters/methods/character-relations.ts (if exists)src/features/pins/ - Check for link reordering functions
Steps to Fix
- Search for
reorderCharacterPinLinks or similar functions
- Verify ownership of each character-pin relation before updating:
const user = await getAuthenticatedUser();
for (const { linkId } of links) {
const relation = await prisma.characterPinRelation.findUnique({
where: { id: linkId },
include: { character: true }
});
if (relation?.character.userId !== user.id) {
throw new AuthorizationError("Unauthorized");
}
}
- Add authorization tests
Acceptance Criteria
Notes
This may be part of character-relations.ts or may need to be created.
Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com
[P0] Security: Fix authorization bypass in reorderCharacterPinLinks
Severity
Problem
The
reorderCharacterPinLinksServer Action (if exists) or similar link reordering functions only authenticate the user without verifying ownership of the character-pin relations being reordered.Impact
Files Affected
src/features/characters/methods/character-relations.ts(if exists)src/features/pins/- Check for link reordering functionsSteps to Fix
reorderCharacterPinLinksor similar functionsAcceptance Criteria
Notes
This may be part of character-relations.ts or may need to be created.
Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com