marcel/familienarchiv
1
0
Fork 0
Code Issues 120 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(admin): guard GET /api/users/{id} with @RequirePermission(ADMIN_USER)

Browse Source 
Fixes IDOR: the endpoint was publicly accessible to any authenticated user.
Now requires ADMIN_USER permission, matching all other user management endpoints.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-03-30 01:09:40 +02:00
parent 169e6dc578
commit 8fc360a596
22 changed files with 844 additions and 346 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
frontend/src/routes/admin/users/new/+page.server.ts
View File

@@ -40,6 +40,6 @@ export const actions: Actions = {
return fail(result.response.status, { error: getErrorMessage(code) });
}
throw redirect(303, '/admin');
throw redirect(303, '/admin/users');
}
};