Fix: add auth and owner isolation to saved views API (closes #1743)#2025
Fix: add auth and owner isolation to saved views API (closes #1743)#2025S0412-2007 wants to merge 2 commits into
Conversation
|
@utksh1 , This is ready for review whenever you get a chance. Summary of the fix:
|
utksh1
left a comment
There was a problem hiding this comment.
The migration scopes saved views, but it still treats X-User-Id as the caller identity. A client with the shared API key can simply set X-User-Id to another known owner, so this does not resolve the BOLA claim. Please derive owner_id from an authenticated principal (or trusted, authenticated upstream identity), and add a regression test showing a client cannot select a different owner merely by changing a request header.
Ok.. Sure @utksh1 I request you to give me a 2 days time for me to correct it. |
Description
Removes a critical BOLA (Broken Object Level Authorization) vulnerability in the saved views API. The
/api/v1/saved-viewsendpoints had no auth dependency and never scoped queries by owner — any caller could list,rename, overwrite, or delete every user's saved views. The underlying
saved_viewstable didn't even have anowner_idcolumn.Related Issues
Closes #1743
Type of Change
How Has This Been Tested?
Ran the existing and newly added tests in
testing/backend/unit/test_saved_views.py, including new regressiontests for: unauthenticated requests being rejected, cross-owner list isolation, per-owner name reuse, and blocking cross-owner update/delete by guessing a view id.
Checklist