Security: Missing workspace authorization check when creating Server records #6
Description
Description
The Servers.php component creates new Server records without explicitly setting the workspace_id from the current authenticated user's workspace context.
Location
- File: src/View/Modal/Admin/Servers.php
- Lines: 101-125
Issue
When creating a new server, the code does not explicitly set the workspace_id:
The data array only includes: name, ip, port, user, status, and optionally private_key.
While the Server model has a BelongsToWorkspace trait, the workspace_id should be explicitly validated and set during creation to prevent:
- Orphaned records if the global scope is not applied
- IDOR vulnerabilities if workspace_id can be mass-assigned from request
Recommendation
- Explicitly set workspace_id in the create data array
- Ensure workspace_id is NOT in the fillable array (remove from mass assignment)
- Add validation that the user belongs to the workspace being assigned
Severity
Medium - Could lead to data isolation issues in multi-tenant environment