Skip to content

πŸ” Fix Critical: Frontend Authorization Race Condition (CVSS 8.5) #257

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ” Fix Critical: Frontend Authorization Race Condition (CVSS 8.5) #257

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions workflow/packages/frontend/src/hooks/authorization-hooks.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,17 @@ export const useAuthorization = () => {
});

const checkAccess = (permission: Permission) => {
if (isLoading || edition === ApEdition.COMMUNITY) {
return true;
// SECURITY FIX: Implement fail-closed security principle during loading
if (isLoading) {
return false; // βœ… SECURE: Deny access during authentication loading
}
return projectRole?.permissions?.includes(permission) ?? true;

if (edition === ApEdition.COMMUNITY) {
return true; // Community edition bypass OK
}

// Default to deny access if projectRole is undefined
return projectRole?.permissions?.includes(permission) ?? false;
};

return { checkAccess };
Expand Down