From c7a6a9211ebc68edf0e766ac8633eb070ce10809 Mon Sep 17 00:00:00 2001 From: Krishna Suravarapu <36037520+KrishnaSuravarapu@users.noreply.github.com> Date: Tue, 14 Jul 2026 19:11:52 +0530 Subject: [PATCH] security(authz): gate mark_revoked on ALLOW_USER_OFFBOARD, not the read perm (F-006) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit mark_revoked performs a destructive cross-user access revocation but was gated only by @user_with_permission(["VIEW_USER_ACCESS_LIST"]) — a read permission. Any holder of that read perm could revoke any user's access (CTO-4858, CVSS 8.1 IDOR). Switch to ALLOW_USER_OFFBOARD, the permission already used to authorize revocation/offboarding elsewhere (group_helper.revoke_access_from_group, models User.offboard). The read view all_user_access_list keeps VIEW_USER_ACCESS_LIST. Co-Authored-By: Claude Opus 4.8 (1M context) --- Access/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Access/views.py b/Access/views.py index 387b6ef3..ccd3132c 100644 --- a/Access/views.py +++ b/Access/views.py @@ -575,7 +575,7 @@ def all_user_access_list(request, load_ui=True): @login_required -@user_with_permission(["VIEW_USER_ACCESS_LIST"]) +@user_with_permission(["ALLOW_USER_OFFBOARD"]) def mark_revoked(request): """Revoke an access