From 35b66f2e96363a71c8a940fb248bc140853f757a Mon Sep 17 00:00:00 2001 From: aazad Date: Thu, 9 Apr 2026 23:52:34 -0500 Subject: [PATCH] Fix IDOR in link management endpoints Three link management endpoints accept user-supplied link IDs without verifying ownership, allowing any authenticated user to modify other users' links: - POST /studio/edit-link (saveLink): add ownership check before update - POST /studio/sort-link (sortLinks): add user_id where clause - GET /clearIcon/{id}: add existing link-id middleware to route --- app/Http/Controllers/UserController.php | 4 ++++ routes/web.php | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php index 3014d810..6fa392c3 100755 --- a/app/Http/Controllers/UserController.php +++ b/app/Http/Controllers/UserController.php @@ -292,6 +292,9 @@ public function saveLink(Request $request) $filteredLinkData['type_params'] = json_encode($customParams); if ($OrigLink) { + if ($OrigLink->user_id !== $userId) { + abort(403); + } $currentValues = $OrigLink->getAttributes(); $nonNullFilteredLinkData = array_filter($filteredLinkData, function($value) {return !is_null($value);}); $updatedValues = array_merge($currentValues, $nonNullFilteredLinkData); @@ -335,6 +338,7 @@ public function sortLinks(Request $request) $linkNewOrders[$linkId] = $newOrder; Link::where("id", $linkId) + ->where("user_id", Auth::user()->id) ->update([ 'order' => $newOrder ]); diff --git a/routes/web.php b/routes/web.php index c58d8b1f..3bf6335c 100755 --- a/routes/web.php +++ b/routes/web.php @@ -120,7 +120,7 @@ Route::get('/studio/profile', [UserController::class, 'showProfile'])->name('showProfile'); Route::post('/studio/profile', [UserController::class, 'editProfile'])->name('editProfile'); Route::post('/edit-icons', [UserController::class, 'editIcons'])->name('editIcons'); -Route::get('/clearIcon/{id}', [UserController::class, 'clearIcon'])->name('clearIcon'); +Route::get('/clearIcon/{id}', [UserController::class, 'clearIcon'])->name('clearIcon')->middleware('link-id'); Route::get('/studio/page/delprofilepicture', [UserController::class, 'delProfilePicture'])->name('delProfilePicture'); Route::get('/studio/delete-user/{id}', [UserController::class, 'deleteUser'])->name('deleteUser')->middleware('verified'); Route::post('/auth-as', [AdminController::class, 'authAs'])->name('authAs');