Mitigate role escalation in the ask_for_access viewset #1580
+138
−27
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lunika
force-pushed
the
fix/ask-to-access-escalation
branch
from
02d300d to
b37f2aa
Compare
AntoLC
reviewed
Nov 13, 2025
|
Size Change: +23 B (0%) Total Size: 4.07 MB
|
We check that the role set in a ask_for_access is not higher than the user's role accepting the request. We prevent case where ad min will grant a user owner in order to take control of the document. Only owner can accept an owner role.
When a ask_for_access creation is made, we explicitly remove the owner role to prevent role escalation.
lunika
force-pushed
the
fix/ask-to-access-escalation
branch
from
35e2235 to
3ce8864
Compare
Like in other abilities, we compute a set_role_to property on the abilities. This set_role_to contains all the roles lower or equal than the current user role. We rely on this propoerty to validate the accept endpoint and it will be used by the front allpication to built the role select list.
We disable roles that the current user is not allowed to assign when sharing a document. This prevents users from selecting roles they cannot actually assign, improving the user experience and reducing confusion.
lunika
force-pushed
the
fix/ask-to-access-escalation
branch
from
3ce8864 to
b069310
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Purpose
Via the ask_for_access viewset, it is possible for an administrator to escaladate an other user to an owner role and then take the control of the document by removing all other owner.
This PR ensure that an administrator can not accept role higher than the one he/she already have. Also, the serializer does not accept the owner role anymore.
Proposal