SSRF / IDOR fixes (#984)

Author: daveearley

backend/app/Http/Actions/Orders/GetOrderAction.php

@@ -4,8 +4,10 @@
 
 use HiEvents\DomainObjects\AttendeeDomainObject;
 use HiEvents\DomainObjects\EventDomainObject;
+use HiEvents\DomainObjects\Generated\OrderDomainObjectAbstract;
 use HiEvents\DomainObjects\OrderItemDomainObject;
 use HiEvents\DomainObjects\QuestionAndAnswerViewDomainObject;
+use HiEvents\Exceptions\ResourceNotFoundException;
 use HiEvents\Http\Actions\BaseAction;
 use HiEvents\Repository\Eloquent\Value\OrderAndDirection;
 use HiEvents\Repository\Eloquent\Value\Relationship;
@@ -22,6 +24,9 @@ public function __construct(OrderRepositoryInterface $orderRepository)
         $this->orderRepository = $orderRepository;
     }
 
+    /**
+     * @throws ResourceNotFoundException
+     */
     public function __invoke(int $eventId, int $orderId): JsonResponse
     {
         $this->isActionAuthorized($eventId, EventDomainObject::class);
@@ -32,7 +37,14 @@ public function __invoke(int $eventId, int $orderId): JsonResponse
             ->loadRelation(new Relationship(domainObject: QuestionAndAnswerViewDomainObject::class, orderAndDirections: [
                 new OrderAndDirection(order: 'question_id'),
             ]))
-            ->findById($orderId);
+            ->findFirstWhere([
+                OrderDomainObjectAbstract::ID => $orderId,
+                OrderDomainObjectAbstract::EVENT_ID => $eventId,
+            ]);
+
+        if ($order === null) {
+            throw new ResourceNotFoundException(__('Order not found'));
+        }
 
         return $this->resourceResponse(OrderResource::class, $order);
     }

backend/app/Http/Actions/Questions/GetQuestionAction.php

@@ -3,7 +3,9 @@
 namespace HiEvents\Http\Actions\Questions;
 
 use HiEvents\DomainObjects\EventDomainObject;
+use HiEvents\DomainObjects\Generated\QuestionDomainObjectAbstract;
 use HiEvents\DomainObjects\ProductDomainObject;
+use HiEvents\Exceptions\ResourceNotFoundException;
 use HiEvents\Http\Actions\BaseAction;
 use HiEvents\Repository\Interfaces\QuestionRepositoryInterface;
 use HiEvents\Resources\Question\QuestionResource;
@@ -19,14 +21,24 @@ public function __construct(QuestionRepositoryInterface $questionRepository)
         $this->questionRepository = $questionRepository;
     }
 
+    /**
+     * @throws ResourceNotFoundException
+     */
     public function __invoke(Request $request, int $eventId, int $questionId): JsonResponse
     {
         $this->isActionAuthorized($eventId, EventDomainObject::class);
 
-        $questions = $this->questionRepository
+        $question = $this->questionRepository
             ->loadRelation(ProductDomainObject::class)
-            ->findById($questionId);
+            ->findFirstWhere([
+                QuestionDomainObjectAbstract::ID => $questionId,
+                QuestionDomainObjectAbstract::EVENT_ID => $eventId,
+            ]);
 
-        return $this->resourceResponse(QuestionResource::class, $questions);
+        if ($question === null) {
+            throw new ResourceNotFoundException(__('Question not found'));
+        }
+
+        return $this->resourceResponse(QuestionResource::class, $question);
     }
 }

backend/app/Services/Application/Handlers/Attendee/PartialEditAttendeeHandler.php

@@ -102,7 +102,14 @@ private function adjustEventStatistics(PartialEditAttendeeDTO $data, AttendeeDom
     {
         if ($data->status === AttendeeStatus::CANCELLED->name) {
             // Get the order to access the creation date for daily statistics
-            $order = $this->orderRepository->findById($attendee->getOrderId());
+            $order = $this->orderRepository->findFirstWhere([
+                'id' => $attendee->getOrderId(),
+                'event_id' => $attendee->getEventId(),
+            ]);
+
+            if ($order === null) {
+                return;
+            }
 
             $this->eventStatisticsCancellationService->decrementForCancelledAttendee(
                 eventId: $attendee->getEventId(),

backend/app/Services/Application/Handlers/Event/UpdateEventStatusHandler.php

@@ -49,14 +49,20 @@ private function updateEventStatus(UpdateEventStatusDTO $updateEventStatusDTO):
 
         $this->eventRepository->updateWhere(
             attributes: ['status' => $updateEventStatusDTO->status],
-            where: ['id' => $updateEventStatusDTO->eventId]
+            where: [
+                'id' => $updateEventStatusDTO->eventId,
+                'account_id' => $updateEventStatusDTO->accountId,
+            ]
         );
 
         $this->logger->info('Event status updated', [
             'eventId' => $updateEventStatusDTO->eventId,
             'status' => $updateEventStatusDTO->status
         ]);
 
-        return $this->eventRepository->findById($updateEventStatusDTO->eventId);
+        return $this->eventRepository->findFirstWhere([
+            'id' => $updateEventStatusDTO->eventId,
+            'account_id' => $updateEventStatusDTO->accountId,
+        ]);
     }
 }

backend/app/Services/Application/Handlers/Organizer/EditOrganizerHandler.php

@@ -51,6 +51,9 @@ private function editOrganizer(EditOrganizerDTO $organizerData): OrganizerDomain
 
         return $this->organizerRepository
             ->loadRelation(ImageDomainObject::class)
-            ->findById($organizerData->id);
+            ->findFirstWhere([
+                'id' => $organizerData->id,
+                'account_id' => $organizerData->account_id,
+            ]);
     }
 }

backend/app/Services/Application/Handlers/Organizer/UpdateOrganizerStatusHandler.php

@@ -48,14 +48,20 @@ private function updateOrganizerStatus(UpdateOrganizerStatusDTO $updateOrganizer
 
         $this->organizerRepository->updateWhere(
             attributes: ['status' => $updateOrganizerStatusDTO->status],
-            where: ['id' => $updateOrganizerStatusDTO->organizerId]
+            where: [
+                'id' => $updateOrganizerStatusDTO->organizerId,
+                'account_id' => $updateOrganizerStatusDTO->accountId,
+            ]
         );
 
         $this->logger->info('Organizer status updated', [
             'organizerId' => $updateOrganizerStatusDTO->organizerId,
             'status' => $updateOrganizerStatusDTO->status
         ]);
 
-        return $this->organizerRepository->findById($updateOrganizerStatusDTO->organizerId);
+        return $this->organizerRepository->findFirstWhere([
+            'id' => $updateOrganizerStatusDTO->organizerId,
+            'account_id' => $updateOrganizerStatusDTO->accountId,
+        ]);
     }
 }

backend/app/Services/Application/Handlers/ProductCategory/EditProductCategoryHandler.php

@@ -29,6 +29,9 @@ public function handle(UpsertProductCategoryDTO $dto): ProductCategoryDomainObje
             ],
         );
 
-        return $this->productCategoryRepository->findById($dto->product_category_id);
+        return $this->productCategoryRepository->findFirstWhere([
+            'id' => $dto->product_category_id,
+            'event_id' => $dto->event_id,
+        ]);
     }
 }

backend/app/Services/Application/Handlers/TaxAndFee/EditTaxHandler.php

@@ -61,7 +61,10 @@ public function handle(UpsertTaxDTO $data): TaxAndFeesDomainObject
         );
 
         /** @var TaxAndFeesDomainObject $tax */
-        $tax = $this->taxRepository->findById($data->id);
+        $tax = $this->taxRepository->findFirstWhere([
+            'id' => $data->id,
+            'account_id' => $data->account_id,
+        ]);
 
         $this->logger->info('Updated tax', [
             'id' => $tax->getId(),

backend/app/Services/Application/Handlers/User/CancelEmailChangeHandler.php

@@ -3,6 +3,7 @@
 namespace HiEvents\Services\Application\Handlers\User;
 
 use HiEvents\DomainObjects\UserDomainObject;
+use HiEvents\Exceptions\ResourceNotFoundException;
 use HiEvents\Repository\Interfaces\UserRepositoryInterface;
 use HiEvents\Services\Application\Handlers\User\DTO\CancelEmailChangeDTO;
 use Psr\Log\LoggerInterface;
@@ -24,6 +25,12 @@ public function __construct(
 
     public function handle(CancelEmailChangeDTO $data): UserDomainObject
     {
+        $user = $this->userRepository->findByIdAndAccountId($data->userId, $data->accountId);
+
+        if ($user === null) {
+            throw new ResourceNotFoundException(__('User not found'));
+        }
+
         $this->userRepository->updateWhere(
             attributes: [
                 'pending_email' => null,

backend/app/Services/Application/Handlers/User/UpdateMeHandler.php

@@ -88,15 +88,10 @@ private function isChangingEmail(UpdateMeDTO $updateUserData, UserDomainObject $
 
     private function getExistingUser(UpdateMeDTO $updateUserData): UserDomainObject
     {
-        $existingUser = $this->userRepository->findFirstWhere([
-            'id' => $updateUserData->id,
-        ]);
-
-        if ($existingUser === null) {
-            throw new ResourceNotFoundException();
-        }
-
-        return $existingUser;
+        return $this->userRepository->findByIdAndAccountId(
+            $updateUserData->id,
+            $updateUserData->account_id
+        );
     }
 
     private function sendEmailChangeConfirmation(UserDomainObject $existingUser): void