fix: Prevent IDOR in Workspaces::Update (Closes #951)

[MuhammadIbtisam]

Description

Fixes an IDOR (Insecure Direct Object Reference) in Workspaces::Update. The interactor previously used Workspace.find_by(id:), so any authenticated user could update any workspace. It now uses context.user.workspaces.find_by(id:) so updates are limited to workspaces the user can access. A guard clause ensures the interactor fails when the workspace is not found or not owned.

Related Issue

Relates to issue #951 – Security: Cross-Workspace Update IDOR in Workspaces::Update Interactor.

Type of Change

• Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

bundle exec rspec spec/interactors/workspaces/update_spec.rb
Existing specs were updated to associate the user with the workspace.
A new spec asserts that a user cannot update another user’s workspace (IDOR case).

Summary by CodeRabbit

• Bug Fixes
  • Enhanced workspace access controls to prevent unauthorized modifications by users without proper permissions.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR fixes an Insecure Direct Object Reference (IDOR) vulnerability in the workspace update interactor by scoping the workspace lookup to the current user's workspaces instead of globally, with early failure handling for missing workspaces. Test coverage is added to verify the authorization check works correctly.

Changes

Cohort / File(s)	Summary
Authorization & Lookup server/app/interactors/workspaces/update.rb	Scopes workspace lookup from global Workspace.find_by to user-scoped context.user.workspaces.find_by, adds early failure when workspace is not found, and removes safe navigation operator.
IDOR & Auth Tests server/spec/interactors/workspaces/update_spec.rb	Adds workspace_user admin membership setup hook and introduces IDOR test case verifying that unauthorized users cannot update workspaces they don't have access to.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Security: Cross-workspace update IDOR in Workspaces::Update interactor (CWE-639) #944: Directly addresses the IDOR vulnerability by scoping workspace lookup to the current user and adding corresponding test coverage.
• Security: Cross-Workspace Update IDOR in Workspaces::Update Interactor #951: Addresses the same IDOR lookup bug by replacing global workspace lookup with user-scoped access control.

Poem

🐰 A burrow of workspaces, now guarded with care,
No trespassers passing through unaware,
Each user sees only their own little space,
With tests standing guard at the authorization gate! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: fixing an IDOR vulnerability in the Workspaces::Update interactor with a specific issue reference.
Description check	✅ Passed	The description covers the fix details, related issue, type of change, and testing approach. However, the Type of Change checkbox is not properly marked.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can suggest fixes for GitHub Check annotations.

Configure the reviews.tools.github-checks setting to adjust the time to wait for GitHub Checks to complete.

[coderabbitai]

🧹 Nitpick comments (1)

server/spec/interactors/workspaces/update_spec.rb (1)

52-58: Optionally assert failure payload to lock branch behavior.

You can make this test stricter by asserting the interactor returns no workspace in this unauthorized path (Line 56 onward), which better pins the fail!(workspace: nil) branch.

Optional test tightening

         expect(result).to be_a_failure
+        expect(result.workspace).to be_nil
         expect(workspace.reload.name).to eq(original_name)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/spec/interactors/workspaces/update_spec.rb` around lines 52 - 58, Test
currently verifies the interactor fails but doesn't assert the failure payload;
update the spec after calling Workspaces::Update.call to also assert the
interactor returned no workspace (i.e. the failure payload contains workspace:
nil) to lock the fail!(workspace: nil) branch—for example add an expectation
that the failure payload's workspace is nil (checking whatever shape your
interactor exposes, e.g. result.failure[:workspace] or
result.failure.workspace).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@server/spec/interactors/workspaces/update_spec.rb`:
- Around line 52-58: Test currently verifies the interactor fails but doesn't
assert the failure payload; update the spec after calling
Workspaces::Update.call to also assert the interactor returned no workspace
(i.e. the failure payload contains workspace: nil) to lock the fail!(workspace:
nil) branch—for example add an expectation that the failure payload's workspace
is nil (checking whatever shape your interactor exposes, e.g.
result.failure[:workspace] or result.failure.workspace).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b6c34f49-52ac-4a0e-b934-d6a4d3ba8539

📥 Commits

Reviewing files that changed from the base of the PR and between ad20749 and 554532c.

📒 Files selected for processing (2)

• server/app/interactors/workspaces/update.rb
• server/spec/interactors/workspaces/update_spec.rb