Skip to content

Nityam/fix private assets authorization#3968

Open
Nixxx19 wants to merge 2 commits intoprocessing:developfrom
Nixxx19:nityam/fix-private-assets-authorization
Open

Nityam/fix private assets authorization#3968
Nixxx19 wants to merge 2 commits intoprocessing:developfrom
Nixxx19:nityam/fix-private-assets-authorization

Conversation

@Nixxx19
Copy link
Contributor

@Nixxx19 Nixxx19 commented Mar 3, 2026

Issue:

Fixes #3904

The getProjectAsset() endpoint was serving project assets (files, images) for any project ID without checking the project's visibility setting. This security vulnerability allowed anyone who knew or guessed a project ID to access Private project assets, even when logged out or as a different user. While project listings correctly filter by visibility, this endpoint did not enforce the same authorization checks.

Changes:

Added authorization check to getProjectAsset():

  • Added visibility and ownership validation before serving assets
  • Private projects are now only accessible to their owners
  • Unauthenticated users are blocked from accessing private project assets (returns 403)
  • Non-owners are blocked from accessing private project assets (returns 403)
  • Public projects remain accessible to everyone (no breaking changes)

Security improvements:

  • Prevents unauthorized access to private project assets
  • Protects all vulnerable routes: /full/:project_id/*, /embed/:project_id/*, /:username/sketches/:project_id/*, /present/:project_id/*
  • Uses proper ObjectId comparison for ownership verification
  • Follows the same authorization pattern as other protected endpoints in the codebase

Added comprehensive test coverage:

  • Created test suite with 8 test cases covering all scenarios
  • Tests verify: unauthenticated access blocking, non-owner blocking, owner access, public project access, and error handling
  • All tests pass successfully

Files changed:

  • server/controllers/project.controller.js: Added visibility and ownership check to getProjectAsset function
  • server/controllers/project.controller/__test__/getProjectAsset.test.js: Added comprehensive test suite

I have verified that this pull request:

  • has no linting errors (npm run lint)
  • has no test errors (npm run test)
  • has no typecheck errors (npm run typecheck)
  • is from a uniquely-named feature branch and is up to date with the develop branch.
  • is descriptively named and links to an issue number, i.e. Fixes #3904
  • meets the standards outlined in the accessibility guidelines

@Nixxx19 Nixxx19 mentioned this pull request Mar 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Private project assets exposed without authorization check

1 participant

@Nixxx19