Skip to content

Mitigate role escalation in the ask_for_access viewset #1580

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Mitigate role escalation in the ask_for_access viewset #1580

wants to merge 2 commits into from
+93 −7

Conversation

@lunika
Copy link
Member

@lunika lunika commented Nov 12, 2025

Purpose

Via the ask_for_access viewset, it is possible for an administrator to escaladate an other user to an owner role and then take the control of the document by removing all other owner.

This PR ensure that an administrator can not accept role higher than the one he/she already have. Also, the serializer does not accept the owner role anymore.

Proposal

  • 🔒️(backend) role in ask_for_access must be lower than user role
  • 🔒️(backend) remove owner as valid role for ask_for_access serializer

@lunika
🔒️(backend) role in ask_for_access must be lower than user role
066c26f 
We check that the role set in a ask_for_access is not higher than the
user's role accepting the request. We prevent case where ad min will
grant a user owner in order to take control of the document. Only owner
can accept an owner role.
@lunika lunika requested review from AntoLC and qbey November 12, 2025 11:04
@lunika lunika self-assigned this Nov 12, 2025
@lunika lunika added the enhancement improve an existing feature label Nov 12, 2025
@lunika
🔒️(backend) remove owner as valid role for ask_for_access serializer
b37f2aa 
When a ask_for_access creation is made, we explicitly remove the owner
role to prevent role escalation.
@lunika lunika force-pushed the fix/ask-to-access-escalation branch from 02d300d to b37f2aa Compare November 12, 2025 12:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qbey qbey Awaiting requested review from qbey

@AntoLC AntoLC Awaiting requested review from AntoLC

At least 1 approving review is required to merge this pull request.

Assignees

@lunika lunika

Labels

enhancement improve an existing feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lunika