From 32b267f8c7e1653f2eee993d1cd2b4623fb9d3f3 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Tue, 7 Jul 2026 11:28:43 -0700 Subject: [PATCH] fix(security): missing authorization check in ensureteamplan midd The `ensureTeamPlan` middleware sets `ctx.state.isTeamPlanRequired` based on whether the domain plan is 'team', but it does NOT enforce any restriction. The variable name suggests it should block non-team plans, yet it always calls `next()`. This is likely a logic bug where the developer intended to check if team plan is required and throw an error if not met, but instead only sets a boolean flag without enforcement. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- app/controllers/web/my-account/ensure-team-plan.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/controllers/web/my-account/ensure-team-plan.js b/app/controllers/web/my-account/ensure-team-plan.js index cd6a5d640..a61502063 100644 --- a/app/controllers/web/my-account/ensure-team-plan.js +++ b/app/controllers/web/my-account/ensure-team-plan.js @@ -4,7 +4,8 @@ */ function ensureTeamPlan(ctx, next) { - ctx.state.isTeamPlanRequired = ctx.state.domain.plan !== 'team'; + if (ctx.state.domain.plan !== 'team') + throw Boom.paymentRequired(ctx.translateError('TEAM_PLAN_REQUIRED')); return next(); }