[SECURITY] fix: add authentication and tenant isolation to ticket endpoints (critical)#2919
[SECURITY] fix: add authentication and tenant isolation to ticket endpoints (critical)#2919namann5 wants to merge 1 commit into
Conversation
…oints (critical)
Three vulnerabilities fixed in tickets router:
1. POST /tickets (create_ticket) - Had NO authentication at all.
Added Depends(get_current_user).
2. PATCH /tickets/{ticket_id} (update_ticket) - Had NO authentication.
Added Depends(get_current_user).
3. GET /tickets/{ticket_id} (get_ticket_by_id) - Had authentication but
NO tenant ownership verification (IDOR). Any authenticated user could
read any ticket across all companies. Added company_id match check
returning 403 Forbidden on cross-tenant access.
4. GET /tickets (get_tickets) - Optional company_id param allowed any
authenticated user to see all tickets across all tenants. Now defaults
to the authenticated user's company_id.
|
@namann5 is attempting to deploy a commit to the ritesh Team on Vercel. A member of the Team first needs to authorize it. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1723ddda56
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
1 participant
🔒 Security Fix: Missing Auth & IDOR on Ticket Endpoints
Fixes #2916
Vulnerabilities Fixed
POST /ticketsDepends(get_current_user)PATCH /tickets/{id}Depends(get_current_user)GET /tickets/{id}GET /ticketsVerification
backend/routers/tickets.pychangedSeverity: Critical — CVSS 8.8 (Missing Authentication + IDOR)
Level:
critical|advanced