Skip to content

Fix broken access control in Kiosk Manager API endpoints#7693

Merged
DawoudIO merged 1 commit intomasterfrom
fix/broken-access-control-kiosk-api
Nov 30, 2025
Merged

Fix broken access control in Kiosk Manager API endpoints#7693
DawoudIO merged 1 commit intomasterfrom
fix/broken-access-control-kiosk-api

Conversation

@DawoudIO
Copy link
Contributor

@DawoudIO DawoudIO commented Nov 30, 2025
edited
Loading

What Changed

Add AdminRoleAuthMiddleware to the /kiosks API route group to restrict access to admin users only. This fixes a broken access control vulnerability where any authenticated user could:

  • Allow kiosk registrations (/api/kiosks/allowRegistration)
  • Accept kiosk devices (/api/kiosks/{id}/acceptKiosk)
  • Reload kiosk devices (/api/kiosks/{id}/reloadKiosk)
  • Identify kiosk devices (/api/kiosks/{id}/identifyKiosk)
  • Set kiosk assignments (/api/kiosks/{id}/setAssignment)

These operations are now properly restricted to administrators only.

Type

  • ✨ Feature
  • 🐛 Bug fix
  • ♻️ Refactor
  • 🏗️ Build/Infrastructure
  • 🔒 Security

Testing

Screenshots

Security Check

  • Introduces new input validation
  • Modifies authentication/authorization
  • Affects data privacy/GDPR

Code Quality

  • Database: Propel ORM only, no raw SQL
  • No deprecated attributes (align, valign, nowrap, border, cellpadding, cellspacing, bgcolor)
  • Bootstrap CSS classes used
  • All CSS bundled via webpack

Pre-Merge

  • Tested locally
  • No new warnings
  • Build passes
  • Backward compatible (or migration documented)

@DawoudIO
Fix broken access control in Kiosk Manager API endpoints
83bb6eb 
Add AdminRoleAuthMiddleware to the /kiosks API route group to restrict
access to admin users only. This fixes a broken access control
vulnerability where any authenticated user could:
- Allow kiosk registrations (/api/kiosks/allowRegistration)
- Accept kiosk devices (/api/kiosks/{id}/acceptKiosk)
- Reload kiosk devices (/api/kiosks/{id}/reloadKiosk)
- Identify kiosk devices (/api/kiosks/{id}/identifyKiosk)
- Set kiosk assignments (/api/kiosks/{id}/setAssignment)

These operations are now properly restricted to administrators only.
@DawoudIO DawoudIO added this to the 6.3.0 milestone Nov 30, 2025
Copilot AI review requested due to automatic review settings November 30, 2025 06:41
@DawoudIO DawoudIO requested a review from a team as a code owner November 30, 2025 06:41
@DawoudIO DawoudIO requested review from DAcodedBEAT, MrClever, bigtigerku, grayeul and respencer and removed request for a team November 30, 2025 06:41
Copilot AI reviewed Nov 30, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request fixes a critical broken access control vulnerability in the Kiosk Manager API by adding AdminRoleAuthMiddleware to the /kiosks route group. Previously, any authenticated user could perform sensitive kiosk management operations that should be restricted to administrators only.

Key Changes:

  • Added AdminRoleAuthMiddleware import to kiosks.php
  • Applied the middleware to the entire /kiosks route group using the ->add() method
  • Restricted access to all kiosk management endpoints (allow registration, accept/reload/identify devices, set assignments)

@DawoudIO DawoudIO merged commit 6855c0f into master Nov 30, 2025
13 checks passed
@DawoudIO DawoudIO deleted the fix/broken-access-control-kiosk-api branch November 30, 2025 06:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@respencer respencer Awaiting requested review from respencer respencer is a code owner automatically assigned from ChurchCRM/developers

@grayeul grayeul Awaiting requested review from grayeul grayeul is a code owner automatically assigned from ChurchCRM/developers

@DAcodedBEAT DAcodedBEAT Awaiting requested review from DAcodedBEAT DAcodedBEAT is a code owner automatically assigned from ChurchCRM/developers

@MrClever MrClever Awaiting requested review from MrClever MrClever is a code owner automatically assigned from ChurchCRM/developers

@bigtigerku bigtigerku Awaiting requested review from bigtigerku bigtigerku is a code owner automatically assigned from ChurchCRM/developers

Assignees

No one assigned

Labels

Security

Projects

None yet

Milestone

6.3.0

Development

Successfully merging this pull request may close these issues.

2 participants

@DawoudIO