Security: Document View/Download IDOR + Missing Authorization on updateAssign Methods

[lighthousekeeper1212]

Summary

Multiple authorization vulnerabilities allow any authenticated user to access resources belonging to other users (CWE-639, CWE-862).

Vulnerability Details

1. Document View/Download IDOR (CRITICAL)

File: app/Http/Controllers/DocumentsController.php, lines 29-60

public function view($external_id)
{
    $document = Document::whereExternalId($external_id)->first();
    $fileSystem = GetStorageProvider::getStorage();
    $file = $fileSystem->view($document);
    // NO ownership check - any authenticated user can view any document
    return response($file, 200)->header('Content-Type', $document->mime);
}

The download() method (line 45-60) has the same issue. Any authenticated user can view/download any document by external_id without verifying they have access to the source resource (Task, Client, Lead, Project).

Secure comparison: upload() in the same controller (line 68) correctly checks auth()->user()->can('document-upload'). The destroy() method also checks can('document-delete').

2. updateAssign() Missing Permission Checks (MEDIUM-HIGH)

Three controllers have updateAssign() without authorization while their sibling updateStatus() methods DO have it:

• TasksController updateAssign() - no can() check, while updateStatus() checks can('task-update-status')
• ProjectsController updateAssign() - no check, while updateStatus() checks can('task-update-status')
• LeadsController updateAssign() - no check, while updateStatus() checks can('lead-update-status')

Secure comparison: ClientsController::updateAssign() correctly checks can('client-update').

Recommended Fix

Add ownership/permission checks to view() and download() methods. Copy permission check pattern from updateStatus() to updateAssign() in all three controllers.

Disclosure

Found during security research. Happy to provide additional details.