Fix: Resolve IDOR on Fetching Replies API#276
Conversation
|
@riddhima25bet10005-a11y is attempting to deploy a commit to the Karan Mani Tripathi 's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
Hey @knoxiboy |
|
@knoxiboy reviewed? |
# Conflicts: # app/api/replies/route.ts
…s on fix-268 branch
|
Hey @knoxiboy |
There was a problem hiding this comment.
Pull request overview
This PR aims to fix an IDOR vulnerability in GET /api/replies by enforcing classroom membership checks before returning replies for classroom-scoped doubts. It also includes unrelated UI updates to the site footer.
Changes:
- Added a classroom membership authorization check to
GET /api/repliesfor doubts withclassroomId. - Updated the footer component formatting and added new “Resources” links (e.g., Public Doubts, Bookmarks).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| app/api/replies/route.ts | Adds classroom membership validation to prevent unauthorized access to replies for classroom-scoped doubts. |
| components/Footer.tsx | Adds new footer links and refactors rendering/styling/accessibility attributes. |
Comments suppressed due to low confidence (1)
components/Footer.tsx:35
- This file includes user-facing footer/navigation changes (new Resources links and styling tweaks), but the PR description only mentions the replies IDOR fix and a test syntax fix. Please either update the PR description to include this UI change or split it into a separate PR to keep the security fix reviewable/auditable.
{
title: "Resources",
links: [
{ label: "Public Doubts", href: "/public-rooms" },
{ label: "Bookmarks", href: "/bookmarks" },
{ label: "Privacy Policy", href: "/privacy-policy" },
{ label: "Terms of Service", href: "/terms-of-service" },
{ label: "About", href: "/about" },
{ label: "FAQs", href: "/faq" },
],
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| const [membership] = await db.select().from(membershipsTable).where( | ||
| and(eq(membershipsTable.userEmail, email), eq(membershipsTable.classroomId, doubt.classroomId)) | ||
| ); |
| } else if (doubt.classroomId && !email) { | ||
| console.warn(`Anonymous user attempting to access replies for doubt ${doubtId} in classroom ${doubt.classroomId}`); | ||
| } |
| if (doubt.classroomId && email) { | ||
| const [membership] = await db.select().from(membershipsTable).where( | ||
| and(eq(membershipsTable.userEmail, email), eq(membershipsTable.classroomId, doubt.classroomId)) | ||
| ); | ||
| if (!membership) { | ||
| return NextResponse.json({ error: "Access denied to this classroom's doubt replies" }, { status: 403 }); | ||
| } |
|
Hi there! 👋 Thanks for your contribution to DoubtDesk. It looks like there are currently some merge conflicts between your branch and the Once the conflicts are resolved and the PR is clean, we'll be able to merge it! |
|
Hey @knoxiboy |
github-actions
Bot
added
gssoc:approved
Description
Fixes an Insecure Direct Object Reference (IDOR) vulnerability in the \GET /api/replies\ endpoint where an unauthenticated or unauthorized user could fetch replies of private doubts belonging to classrooms they were not enrolled in.
The endpoint now correctly validates the classroom membership of the requesting user when fetching replies for a classroom-scoped doubt.
Fixes #268
Changes Made
Checklist