fix(admin): guard GET /api/users/{id} with @RequirePermission(ADMIN_USER)

Fixes IDOR: the endpoint was publicly accessible to any authenticated user. Now requires ADMIN_USER permission, matching all other user management endpoints. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-30 01:09:40 +02:00
parent 169e6dc578
commit 8fc360a596
22 changed files with 844 additions and 346 deletions
--- a/frontend/src/routes/admin/users/new/+page.server.ts
+++ b/frontend/src/routes/admin/users/new/+page.server.ts
@@ -40,6 +40,6 @@ export const actions: Actions = {
 			return fail(result.response.status, { error: getErrorMessage(code) });
 		}

-		throw redirect(303, '/admin');
+		throw redirect(303, '/admin/users');
 	}
 };
--- a/frontend/src/routes/admin/users/new/+page.svelte
+++ b/frontend/src/routes/admin/users/new/+page.svelte
@@ -8,64 +8,57 @@ import AccountSection from './AccountSection.svelte';
 let { data, form } = $props();
 </script>

-<div class="mx-auto max-w-3xl px-4 py-8 sm:px-6 lg:px-8">
-	<a
-		href="/admin"
-		class="group mb-4 inline-flex items-center text-xs font-bold tracking-widest text-ink-2 uppercase transition-colors hover:text-ink"
-	>
-		<svg
-			class="mr-2 h-4 w-4 transform transition-transform group-hover:-translate-x-1"
-			fill="none"
-			viewBox="0 0 24 24"
-			stroke="currentColor"
-			stroke-width="2"
-		>
-			<path stroke-linecap="round" stroke-linejoin="round" d="M15 19l-7-7 7-7" />
-		</svg>
-		{m.btn_back_to_overview()}
-	</a>
+<div class="flex flex-1 flex-col overflow-hidden">
+	<!-- Detail panel header -->
+	<div class="flex items-center border-b border-line px-5 py-3">
+		<h2 class="flex-1 font-sans text-sm font-bold text-ink">{m.admin_user_new_heading()}</h2>
+	</div>

-	<h1 class="mb-6 font-serif text-3xl font-bold text-ink">{m.admin_user_new_heading()}</h1>
+	<!-- Scrollable body -->
+	<div class="flex-1 overflow-y-auto px-5 py-5">
+		{#if form?.error}
+			<div class="mb-5 rounded border border-red-200 bg-red-50 p-3 text-sm text-red-700">
+				{form.error}
+			</div>
+		{/if}

-	{#if form?.error}
-		<div class="mb-5 rounded border border-red-200 bg-red-50 p-3 text-sm text-red-700">
-			{form.error}
-		</div>
-	{/if}
-
-	<div class="rounded-sm border border-line bg-surface p-6 shadow-sm">
-		<form method="POST" use:enhance class="space-y-5">
-			<AccountSection />
+		<form id="new-user-form" method="POST" use:enhance class="space-y-5">
+			<div class="rounded-sm border border-line bg-surface p-5 shadow-sm">
+				<AccountSection />
+			</div>

 			<!-- Profile -->
-			<h2 class="pt-2 text-xs font-bold tracking-widest text-ink-3 uppercase">
-				{m.profile_section_personal()}
-			</h2>
-			<UserProfileSection />
+			<div class="rounded-sm border border-line bg-surface p-5 shadow-sm">
+				<h3 class="mb-4 text-xs font-bold tracking-widest text-ink-3 uppercase">
+					{m.profile_section_personal()}
+				</h3>
+				<UserProfileSection />
+			</div>

 			<!-- Groups -->
-			<h2 class="pt-2 text-xs font-bold tracking-widest text-ink-3 uppercase">
-				{m.admin_col_groups()}
-			</h2>
-			<UserGroupsSection groups={data.groups} />
-
-			<!-- Save bar -->
-			<div
-				class="mt-4 flex items-center justify-between rounded-sm border border-line bg-surface px-6 py-4 shadow-sm"
-			>
-				<a
-					href="/admin"
-					class="font-sans text-xs font-bold tracking-widest text-ink-2 uppercase hover:text-ink"
-				>
-					{m.btn_cancel()}
-				</a>
-				<button
-					type="submit"
-					class="rounded-sm bg-primary px-5 py-2 font-sans text-xs font-bold tracking-widest text-primary-fg uppercase transition-opacity hover:opacity-80"
-				>
-					{m.btn_create()}
-				</button>
+			<div class="rounded-sm border border-line bg-surface p-5 shadow-sm">
+				<h3 class="mb-4 text-xs font-bold tracking-widest text-ink-3 uppercase">
+					{m.admin_col_groups()}
+				</h3>
+				<UserGroupsSection groups={data.groups} />
 			</div>
 		</form>
 	</div>
+
+	<!-- Docked footer -->
+	<div class="flex items-center justify-between border-t border-line bg-surface px-5 py-3">
+		<a
+			href="/admin/users"
+			class="font-sans text-xs font-bold tracking-widest text-ink-2 uppercase hover:text-ink"
+		>
+			{m.btn_cancel()}
+		</a>
+		<button
+			type="submit"
+			form="new-user-form"
+			class="rounded-sm bg-primary px-5 py-2 font-sans text-xs font-bold tracking-widest text-primary-fg uppercase transition-opacity hover:opacity-80"
+		>
+			{m.btn_create()}
+		</button>
+	</div>
 </div>
--- a/frontend/src/routes/admin/users/new/page.svelte.spec.ts
+++ b/frontend/src/routes/admin/users/new/page.svelte.spec.ts
@@ -33,18 +33,11 @@ describe('Admin new user page – rendering', () => {
 		await expect.element(page.getByText('Admins')).toBeInTheDocument();
 	});

-	it('cancel link points to /admin', async () => {
+	it('cancel link points to /admin/users', async () => {
 		render(Page, { data: baseData, form: null });
 		await expect
 			.element(page.getByRole('link', { name: /Abbrechen/i }))
-			.toHaveAttribute('href', '/admin');
-	});
-
-	it('back link points to /admin', async () => {
-		render(Page, { data: baseData, form: null });
-		await expect
-			.element(page.getByRole('link', { name: /Zurück/i }))
-			.toHaveAttribute('href', '/admin');
+			.toHaveAttribute('href', '/admin/users');
 	});

 	it('renders the create button', async () => {