fix(roles): prevent privilege escalation via role permissions #93
No reviewers
Labels
No labels
area:api
area:core
area:docs
area:infra
area:ux
dependencies
documentation
duplicate
good first issue
help wanted
invalid
question
rust
status:complete
status:partial
status:planned
type:bug
type:design
type:feature
type:infra
type:refactor
type:refactor
type:research
type:ux
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
icub3d/decentcom!93
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "feature/75-role-perm-escalation"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Fixes the critical privilege-escalation hole reported in #75.
create_roleandupdate_rolepassed the requested permission bits straight to storage, gating only onMANAGE_ROLESand role position — never on whether the caller actually held those bits. A user withMANAGE_ROLESbut notADMINISTRATORcould:POST /roleswithpermissions = ADMINISTRATOR, positioned just below their own role;PUT /members/{self}/roles/{new_role}(only a position check);Fix
New
ensure_can_grant(auth, requested)guard:permissionsnever includesADMINISTRATOR, so(requested & !auth.permissions) != 0rejects any unheld bit (includingADMINISTRATOR) with403.Wired into both
create_role(before position handling) andupdate_role(whenpermissionsis present, alongside the existing@admin-immutable guard).Tests
Added regression tests in
server/src/roles/mod.rs:manage_roles_user_cannot_grant_administrator→ 403manage_roles_user_cannot_grant_unheld_permission→ 403, plus the allowed case (granting only held bits) → 200manage_roles_user_cannot_escalate_via_update→ 403Verified the tests fail without the guard (revert-check) and pass with it. Full server suite green (118 tests),
cargo clippy -p server --all-targets -- -D warningsclean.Closes #75