From f066eb3ea4d1648ef925a745836e48a71b600a5f Mon Sep 17 00:00:00 2001 From: kolaente Date: Fri, 20 Mar 2026 10:15:11 +0100 Subject: [PATCH] fix: require CanUpdate for project background deletion RemoveProjectBackground previously used checkProjectBackgroundRights which only checks CanRead, allowing read-only users to delete project backgrounds. Added checkProjectBackgroundWriteRights that checks CanUpdate and use it in RemoveProjectBackground. Ref: GHSA-564f-wx8x-878h --- pkg/modules/background/handler/background.go | 28 +++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/pkg/modules/background/handler/background.go b/pkg/modules/background/handler/background.go index 60845b57f..83d9eb570 100644 --- a/pkg/modules/background/handler/background.go +++ b/pkg/modules/background/handler/background.go @@ -328,6 +328,32 @@ func checkProjectBackgroundRights(s *xorm.Session, c *echo.Context) (project *mo return } +func checkProjectBackgroundWriteRights(s *xorm.Session, c *echo.Context) (project *models.Project, auth web.Auth, err error) { + auth, err = auth2.GetAuthFromClaims(c) + if err != nil { + return nil, auth, echo.NewHTTPError(http.StatusBadRequest, "Invalid auth token: "+err.Error()).Wrap(err) + } + + projectID, err := strconv.ParseInt(c.Param("project"), 10, 64) + if err != nil { + return nil, auth, echo.NewHTTPError(http.StatusBadRequest, "Invalid project ID: "+err.Error()).Wrap(err) + } + + project = &models.Project{ID: projectID} + can, err := project.CanUpdate(s, auth) + if err != nil { + _ = s.Rollback() + return nil, auth, err + } + if !can { + _ = s.Rollback() + log.Infof("Tried to modify project background of project %d while not having the permissions for it (User: %v)", projectID, auth) + return nil, auth, echo.NewHTTPError(http.StatusForbidden, "Forbidden") + } + + return +} + // GetProjectBackground serves a previously set background from a project // It has no knowledge of the provider that was responsible for setting the background. // @Summary Get the project background @@ -417,7 +443,7 @@ func RemoveProjectBackground(c *echo.Context) error { s := db.NewSession() defer s.Close() - project, auth, err := checkProjectBackgroundRights(s, c) + project, auth, err := checkProjectBackgroundWriteRights(s, c) if err != nil { _ = s.Rollback() return err