[P0] Security: Audit and Fix IDOR vulnerabilities in update functions
Severity
- Priority: P0
- Type: Security (IDOR)
- Estimation: 4 hours
Problem
Insecure Direct Object Reference (IDOR) vulnerabilities may exist in update functions where ownership verification is missing or incomplete.
Functions to Audit
Known safe (has verifyWorldPermission):
updateWorldTitle - ✅ Has verifyWorldPermission(id, user.id)
Needs verification:
updateWorldState - Check if it verifies ownershipupdatePin - Check permission verificationupdateLayer - Check permission verificationupdateLoreEntry - Check permission verificationupdateCharacter - Check permission verificationupdateGalleryItem - Check permission verification
Audit Checklist
For each update function, verify:
export async function updateResource(id: string, data: any) {
const user = await getAuthenticatedUser();
// 1. Must verify ownership BEFORE updating
const resource = await verifyResourcePermission(id, user.id);
// 2. Must not trust client-provided userId/gameWorldId
if (data.userId !== undefined && data.userId !== user.id) {
throw new AuthorizationError("Cannot modify userId");
}
// 3. Update
const updated = await prisma.resource.update({
where: { id },
data: sanitizedData,
});
return updated;
}Common IDOR Patterns to Fix
Pattern 1: Missing ownership check
// BAD
export async function updateThing(id: string, data: any) {
await getAuthenticatedUser(); // Only auth, no ownership!
return prisma.thing.update({ where: { id }, data });
}
// GOOD
export async function updateThing(id: string, data: any) {
const user = await getAuthenticatedUser();
await verifyThingPermission(id, user.id); // Ownership check
return prisma.thing.update({ where: { id }, data });
}Pattern 2: Trusting client-provided IDs
// BAD
const updated = await prisma.character.update({
where: { id: data.id },
data: { ...data } // Client could provide userId!
});
// GOOD
const { userId, gameWorldId, ...safeData } = data;
const updated = await prisma.character.update({
where: { id },
data: safeData,
});Files to Audit
src/features/worlds/actions/worlds.ts - All update functionssrc/features/pins/actions/pins.ts - All update functionssrc/features/layers/actions/layers.ts - All update functionssrc/features/lore/actions/lore.ts - All update functionssrc/features/characters/actions/characters.ts - All update functionssrc/features/gallery/actions/gallery.ts - All update functions
Steps to Fix
- Audit all update functions for ownership verification
- Ensure no function trusts client-provided userId/gameWorldId
- Add permission helpers if missing
- Write tests for IDOR prevention
Acceptance Criteria
Notes
Use the existing verifyXPermission helpers from @/shared/lib/server-helpers.
Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com
[P0] Security: Audit and Fix IDOR vulnerabilities in update functions
Severity
Problem
Insecure Direct Object Reference (IDOR) vulnerabilities may exist in update functions where ownership verification is missing or incomplete.
Functions to Audit
Known safe (has verifyWorldPermission):
updateWorldTitle- ✅ HasverifyWorldPermission(id, user.id)Needs verification:
updateWorldState- Check if it verifies ownershipupdatePin- Check permission verificationupdateLayer- Check permission verificationupdateLoreEntry- Check permission verificationupdateCharacter- Check permission verificationupdateGalleryItem- Check permission verificationAudit Checklist
For each update function, verify:
Common IDOR Patterns to Fix
Pattern 1: Missing ownership check
Pattern 2: Trusting client-provided IDs
Files to Audit
src/features/worlds/actions/worlds.ts- All update functionssrc/features/pins/actions/pins.ts- All update functionssrc/features/layers/actions/layers.ts- All update functionssrc/features/lore/actions/lore.ts- All update functionssrc/features/characters/actions/characters.ts- All update functionssrc/features/gallery/actions/gallery.ts- All update functionsSteps to Fix
Acceptance Criteria
Notes
Use the existing
verifyXPermissionhelpers from@/shared/lib/server-helpers.Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com