mirror/formbricks
1
0
Fork 0
mirror of https://github.com/formbricks/formbricks.git synced 2026-03-16 23:53:36 -05:00
Code Issues Packages Projects Releases 138 Wiki Activity

fix: derive organizationId from target resource in updateSegment and quota actions

Browse Source 
- updateSegmentAction: use getOrganizationIdFromSegmentId instead of
  getOrganizationIdFromEnvironmentId to prevent IDOR via caller-supplied
  environmentId
- deleteQuotaAction/updateQuotaAction: use getOrganizationIdFromQuotaId
  and getProjectIdFromQuotaId instead of deriving from caller-supplied
  surveyId/quota.surveyId

Addresses review feedback from @BhagyaAmarasinghe on remaining IDOR
vectors in #7326.
This commit is contained in:
Santosh
2026-03-11 09:12:24 +01:00
committed by applyflow-de
parent 77f7e099b9
commit fc762ebffc
2 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
apps/web/modules/ee/contacts/segments/actions.ts
View File

@@ -108,7 +108,7 @@ export const updateSegmentAction = authenticatedActionClient.schema(ZUpdateSegme
"updated",
"segment",
async ({ ctx, parsedInput }: { ctx: AuthenticatedActionClientCtx; parsedInput: Record<string, any> }) => {
const organizationId = await getOrganizationIdFromEnvironmentId(parsedInput.environmentId);
const organizationId = await getOrganizationIdFromSegmentId(parsedInput.segmentId);
await checkAuthorizationUpdated({
userId: ctx.user.id,
organizationId,

8
apps/web/modules/ee/quotas/actions.ts
View File

@@ -46,7 +46,7 @@ export const deleteQuotaAction = authenticatedActionClient.schema(ZDeleteQuotaAc
ctx: AuthenticatedActionClientCtx;
parsedInput: z.infer<typeof ZDeleteQuotaAction>;
}) => {
const organizationId = await getOrganizationIdFromSurveyId(parsedInput.surveyId);
const organizationId = await getOrganizationIdFromQuotaId(parsedInput.quotaId);
await checkQuotasEnabled(organizationId);
await checkAuthorizationUpdated({
userId: ctx.user.id,
@@ -58,7 +58,7 @@ export const deleteQuotaAction = authenticatedActionClient.schema(ZDeleteQuotaAc
},
{
type: "projectTeam",
projectId: await getProjectIdFromSurveyId(parsedInput.surveyId),
projectId: await getProjectIdFromQuotaId(parsedInput.quotaId),
minPermission: "readWrite",
},
],
@@ -91,7 +91,7 @@ export const updateQuotaAction = authenticatedActionClient.schema(ZUpdateQuotaAc
ctx: AuthenticatedActionClientCtx;
parsedInput: z.infer<typeof ZUpdateQuotaAction>;
}) => {
const organizationId = await getOrganizationIdFromSurveyId(parsedInput.quota.surveyId);
const organizationId = await getOrganizationIdFromQuotaId(parsedInput.quotaId);
await checkQuotasEnabled(organizationId);
await checkAuthorizationUpdated({
userId: ctx.user.id,
@@ -103,7 +103,7 @@ export const updateQuotaAction = authenticatedActionClient.schema(ZUpdateQuotaAc
},
{
type: "projectTeam",
projectId: await getProjectIdFromSurveyId(parsedInput.quota.surveyId),
projectId: await getProjectIdFromQuotaId(parsedInput.quotaId),
minPermission: "readWrite",
},
],