Skip to content

Nityam/fix private assets authorization#3968

Merged
raclim merged 3 commits intoprocessing:developfrom
Nixxx19:nityam/fix-private-assets-authorization
Mar 9, 2026
Merged

Nityam/fix private assets authorization#3968
raclim merged 3 commits intoprocessing:developfrom
Nixxx19:nityam/fix-private-assets-authorization

Conversation

@Nixxx19
Copy link
Contributor

@Nixxx19 Nixxx19 commented Mar 3, 2026

Issue:

Fixes #3904

The getProjectAsset() endpoint was serving project assets (files, images) for any project ID without checking the project's visibility setting. This security vulnerability allowed anyone who knew or guessed a project ID to access Private project assets, even when logged out or as a different user. While project listings correctly filter by visibility, this endpoint did not enforce the same authorization checks.

Changes:

Added authorization check to getProjectAsset():

  • Added visibility and ownership validation before serving assets
  • Private projects are now only accessible to their owners
  • Unauthenticated users are blocked from accessing private project assets (returns 403)
  • Non-owners are blocked from accessing private project assets (returns 403)
  • Public projects remain accessible to everyone (no breaking changes)

Security improvements:

  • Prevents unauthorized access to private project assets
  • Protects all vulnerable routes: /full/:project_id/*, /embed/:project_id/*, /:username/sketches/:project_id/*, /present/:project_id/*
  • Uses proper ObjectId comparison for ownership verification
  • Follows the same authorization pattern as other protected endpoints in the codebase

Added comprehensive test coverage:

  • Created test suite with 8 test cases covering all scenarios
  • Tests verify: unauthenticated access blocking, non-owner blocking, owner access, public project access, and error handling
  • All tests pass successfully

Files changed:

  • server/controllers/project.controller.js: Added visibility and ownership check to getProjectAsset function
  • server/controllers/project.controller/__test__/getProjectAsset.test.js: Added comprehensive test suite

I have verified that this pull request:

  • has no linting errors (npm run lint)
  • has no test errors (npm run test)
  • has no typecheck errors (npm run typecheck)
  • is from a uniquely-named feature branch and is up to date with the develop branch.
  • is descriptively named and links to an issue number, i.e. Fixes #3904
  • meets the standards outlined in the accessibility guidelines

@Nixxx19 Nixxx19 mentioned this pull request Mar 3, 2026
Closed
raclim
raclim reviewed Mar 9, 2026
View reviewed changes
raclim
raclim approved these changes Mar 9, 2026
View reviewed changes
Copy link
Collaborator

@raclim raclim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks so much for adding in the tests, this is an awesome start!

@raclim raclim merged commit 280fb38 into processing:develop Mar 9, 2026
1 check passed
@Nixxx19
Copy link
Contributor Author

Nixxx19 commented Mar 9, 2026

Thanks so much for adding in the tests, this is an awesome start!

thank you!!

@ksen0
Copy link
Member

ksen0 commented Mar 9, 2026

Nice tests, thanks!

@Nixxx19
Copy link
Contributor Author

Nixxx19 commented Mar 9, 2026

Nice tests, thanks!

thank you!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@raclim raclim raclim approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Private project assets exposed without authorization check

3 participants

@Nixxx19 @ksen0 @raclim