Vehicle details can be seen by any logged in user if url is known

[caspre24]

Before creating a bug report please make sure you are using the latest docker image / code base.

Please complete the following information

• Installation Type: [Docker]
  • Running locally with docker compose file from readme
• Have you tried using the latest docker image / code base [yes]
  • Current Version 2022.07.06

Describe the bug A vehicle's details can be opened by any logged in user if the url is known. This is an issue when a vehicle was previously shared with a user (so they know the url) but isn't anymore. Having shared the vehicle before is not required for the bug though.

To Reproduce Steps to reproduce the behavior:

1. Have at least two users.
2. Create vehicle with user A.
3. Do NOT share vehicle with user B.
4. Remember vehicle url.
5. Log in with user B.
6. Open url from step 4.
7. See all details of not shared vehicle

Expected behavior User B cannot access vehicles that are owned by user A and not shared with user B

Screenshots If applicable, add screenshots to help explain your problem.

Additional context

• Without logged-in user, the vehicle url redirects correctly to the login screen.
• As user B, adding expenses or fillups fails because the vehicle is not selectable from the dropdown. I haven't tested using any rest api directly, so that might be worth checking.

Let me know if you need more info or logs

[Goloso98]

I didn't test, maybe you are right. Looks there are no checks in place to see if you "own" the resource. Something like this https://github.com/gin-gonic/gin/issues/2612 , adding a router middleware to block unwanted interaction.

Edit: https://gin-gonic.com/docs/examples/using-middleware/ in the docs as well.

[AlfHou]

So there is currently no "permissions" to vehicles. However, I see how this can be confusing. I'll look into creating a permission model for users -> vehicles