papercups icon indicating copy to clipboard operation
papercups copied to clipboard

Published 20 hours ago verified publisher icon papercups-io

Unauthorized users can delete integrations

Open a8t opened this issue 4 years ago • 0 comments

Describe the bug Any authenticated user can delete any user's Slack, Gmail, Mattermost, and Twilio integration if they have the right ID.

  def delete(conn, %{"id" => id}) do
    with %{account_id: _account_id} <- conn.assigns.current_user, # note the unused account_id
         %TwilioAuthorization{} = auth <-
           Twilio.get_twilio_authorization!(id),
         {:ok, %TwilioAuthorization{}} <- Twilio.delete_twilio_authorization(auth) do
      send_resp(conn, :no_content, "")
    end
  end

Return of the Bodyguard...?

a8t avatar Apr 06 '21 04:04 a8t