Viewer can create Sensor via POST /Sensors (broken RBAC)

[bhudevbhanpuriya]

Summary

A low-privilege (viewer) account is able to perform a create operation on the POST /Sensors endpoint. This indicates a potential RBAC (Role-Based Access Control) bypass, where users with insufficient permissions can execute actions intended only for higher-privilege roles.

Expected Behavior

• Admin/editor roles: Request should succeed with 201 Created.
• Viewer/unauthorized roles: Request should be blocked with 403 Forbidden (or 401 Unauthorized depending on API design).

Actual Behavior

• Viewer role is able to successfully create a sensor using POST /Sensors, receiving a 201 Created response.

Steps to Reproduce

1. Authenticate as a low-privilege user (viewer) and obtain an access token.
2. Send a POST /Sensors request with:
   • Valid request body
   • Required headers (including commit-message if applicable)
3. Observe the response:
   • If 201 Created is returned, the issue is confirmed.
4. Repeat the same request using an admin token:
   • Confirm that the request succeeds as expected.

Impact

Unauthorized users can create sensor entities, which:

• Compromises data integrity
• Introduces potential misuse or spam data
• Violates expected access control policies

Evidence

• Same request:
  • Succeeds with viewer token (unexpected)
  • Succeeds with admin token (expected)

Suggested Fix

Ensure proper RBAC enforcement on the POST /Sensors endpoint by:

• Validating user roles before allowing create operations
• Restricting access to admin/editor roles only
• Adding explicit authorization checks (not just authentication)

Notes

This is a high-impact but easy-to-reproduce issue and serves as a good candidate for initial RBAC validation and regression testing.