From fc762ebffcd402f5e60121dc7d27169f8651b543 Mon Sep 17 00:00:00 2001
From: Santosh <ussantosh91@gmail.com>
Date: Wed, 11 Mar 2026 09:12:24 +0100
Subject: [PATCH] fix: derive organizationId from target resource in
 updateSegment and quota actions

- updateSegmentAction: use getOrganizationIdFromSegmentId instead of
  getOrganizationIdFromEnvironmentId to prevent IDOR via caller-supplied
  environmentId
- deleteQuotaAction/updateQuotaAction: use getOrganizationIdFromQuotaId
  and getProjectIdFromQuotaId instead of deriving from caller-supplied
  surveyId/quota.surveyId

Addresses review feedback from @BhagyaAmarasinghe on remaining IDOR
vectors in #7326.
---
 apps/web/modules/ee/contacts/segments/actions.ts | 2 +-
 apps/web/modules/ee/quotas/actions.ts            | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/apps/web/modules/ee/contacts/segments/actions.ts b/apps/web/modules/ee/contacts/segments/actions.ts
index f46f55f451..3a5194b19a 100644
--- a/apps/web/modules/ee/contacts/segments/actions.ts
+++ b/apps/web/modules/ee/contacts/segments/actions.ts
@@ -108,7 +108,7 @@ export const updateSegmentAction = authenticatedActionClient.schema(ZUpdateSegme
     "updated",
     "segment",
     async ({ ctx, parsedInput }: { ctx: AuthenticatedActionClientCtx; parsedInput: Record<string, any> }) => {
-      const organizationId = await getOrganizationIdFromEnvironmentId(parsedInput.environmentId);
+      const organizationId = await getOrganizationIdFromSegmentId(parsedInput.segmentId);
       await checkAuthorizationUpdated({
         userId: ctx.user.id,
         organizationId,
diff --git a/apps/web/modules/ee/quotas/actions.ts b/apps/web/modules/ee/quotas/actions.ts
index 7633e69607..8cffa4387f 100644
--- a/apps/web/modules/ee/quotas/actions.ts
+++ b/apps/web/modules/ee/quotas/actions.ts
@@ -46,7 +46,7 @@ export const deleteQuotaAction = authenticatedActionClient.schema(ZDeleteQuotaAc
       ctx: AuthenticatedActionClientCtx;
       parsedInput: z.infer<typeof ZDeleteQuotaAction>;
     }) => {
-      const organizationId = await getOrganizationIdFromSurveyId(parsedInput.surveyId);
+      const organizationId = await getOrganizationIdFromQuotaId(parsedInput.quotaId);
       await checkQuotasEnabled(organizationId);
       await checkAuthorizationUpdated({
         userId: ctx.user.id,
@@ -58,7 +58,7 @@ export const deleteQuotaAction = authenticatedActionClient.schema(ZDeleteQuotaAc
           },
           {
             type: "projectTeam",
-            projectId: await getProjectIdFromSurveyId(parsedInput.surveyId),
+            projectId: await getProjectIdFromQuotaId(parsedInput.quotaId),
             minPermission: "readWrite",
           },
         ],
@@ -91,7 +91,7 @@ export const updateQuotaAction = authenticatedActionClient.schema(ZUpdateQuotaAc
       ctx: AuthenticatedActionClientCtx;
       parsedInput: z.infer<typeof ZUpdateQuotaAction>;
     }) => {
-      const organizationId = await getOrganizationIdFromSurveyId(parsedInput.quota.surveyId);
+      const organizationId = await getOrganizationIdFromQuotaId(parsedInput.quotaId);
       await checkQuotasEnabled(organizationId);
       await checkAuthorizationUpdated({
         userId: ctx.user.id,
@@ -103,7 +103,7 @@ export const updateQuotaAction = authenticatedActionClient.schema(ZUpdateQuotaAc
           },
           {
             type: "projectTeam",
-            projectId: await getProjectIdFromSurveyId(parsedInput.quota.surveyId),
+            projectId: await getProjectIdFromQuotaId(parsedInput.quotaId),
             minPermission: "readWrite",
           },
         ],