fix: get bookings handler for pbac and fallback roles#61
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| userId: number; | ||
| permission: PermissionString; | ||
| fallbackRoles: MembershipRole[]; | ||
| orgId?: number; |
There was a problem hiding this comment.
orgId parameter not passed to delegated method
High Severity
The getTeamIdsWithPermission method receives orgId as a parameter but does not pass it to getTeamIdsWithPermissions. This causes the orgId filtering to be silently ignored when using the singular permission method, meaning teams from all organizations may be returned instead of only teams within the specified organization.
| ); | ||
|
|
||
| const isCurrentUser = filters.userIds.length === 1 && user.id === filters.userIds[0]; | ||
| const isCurrentUser = filters.userIds.includes(user.id); |
There was a problem hiding this comment.
Authorization bypass by including own user ID
High Severity
The change from filters.userIds.length === 1 && user.id === filters.userIds[0] to filters.userIds.includes(user.id) allows authorization bypass. A user can now include unauthorized user IDs in the filter by also including their own ID, causing isCurrentUser to be true and bypassing the FORBIDDEN check at line 154, while the query at line 170 still fetches bookings for all specified users including unauthorized ones.
1 participant
Benchmark PR from qodo-benchmark#666
Note
Strengthens access control and scopes results using PBAC and fallback roles.
PermissionCheckService.getTeamIdsWithPermissionusingbooking.read+ fallback roles (ADMIN,OWNER) and optionalorgId, replacing manual admin/owner filtersfilters.userIdsoutside accessible scope withFORBIDDENorgIdtogetTeamIdsWithPermission(s); splits logic intogetTeamsWithPBACPermissionsandgetTeamsWithFallbackRoles, adds org-aware SQL filters, and de-dupes resultsgetTeamIdsWithPermission(s)forwarding to repositoryorgIdscoping and child team inclusion in permission queriesWritten by Cursor Bugbot for commit 07d6cf4. Configure here.