[HIGH] Prevent mass assignment and add role-based auth to admin endpoints (Fixes #2894)

[namann5]

Mass Assignment Vulnerability — Any Authenticated User Can Modify Any Profile Field (Privilege Escalation)

Severity: HIGH (CVSS 8.0)

Location: backend/routers/admin.py:17

Description

The PATCH /profiles/{user_id} endpoint accepts a raw updates: dict parameter without a Pydantic schema or field allowlist. Any authenticated user can update ANY field on ANY user's profile, including:

• role — escalate to admin/master_admin
• status — bypass email verification, suspend other users
• company_id — change tenant assignment
• email — take over other accounts

@router.patch("/profiles/{user_id}")
async def api_update_profile(
    user_id: str,
    updates: dict,           # <-- No schema validation — ANY field accepted
    current_user: dict = Depends(get_current_user),
):
    if not supabase: return {}
    res = supabase.table("profiles").update(updates).eq("id", user_id).execute()
    return res.data[0] if res.data else {}

There is NO:

1. Authorization check (is the user an admin?)
2. Schema validation (what fields are allowed?)
3. Ownership check (is the user updating their own profile?)
4. Field allowlist/blocklist

Impact

• Privilege escalation: Any authenticated user can set role: "admin" or role: "master_admin" on their own profile
• Account takeover: Change another user's email or status
• Tenant escape: Change company_id to access other organizations' data
• Data integrity: Delete or corrupt critical profile fields

Proof of Concept

# Any authenticated user can escalate to admin:
PATCH /profiles/{their_user_id}
{"role": "admin"}

Fix

Use a Pydantic model to restrict updatable fields:

class ProfileUpdate(BaseModel):
    full_name: Optional[str] = None
    avatar_url: Optional[str] = None
    # role and status should NOT be user-updatable

And add role-based authorization:

async def api_update_profile(
    user_id: str,
    updates: ProfileUpdate,
    current_user: dict = Depends(get_current_user),
):
    if current_user.get("id") != user_id and current_user.get("role") not in ("admin", "master_admin"):
        raise HTTPException(status_code=403, detail="Not authorized")
    ...

References

• backend/routers/admin.py:17 — updates: dict without schema
• OWASP: Mass Assignment (A05:2021)

[vercel]

@namann5 is attempting to deploy a commit to the ritesh Team on Vercel.

A member of the Team first needs to authorize it.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d12d6e18-79b2-4198-bfac-b49bcc7d09d8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}