API bundle missing authorization: any API user can view/modify/delete all tickets and agents #905
Description
Summary
The entire API bundle (api-bundle) lacks authorization checks beyond authentication. Any user with a valid API token can perform full administrative operations on all tickets, agents, and attachments.
Findings
1. HIGH - API endpoints have zero authorization
Files: vendor/uvdesk/api-bundle/API/Tickets.php, Agents.php, Threads.php
The API guard authenticates via Bearer token but NO controller checks isAccessAuthorized() or isTicketAccessGranted():
viewTicket()- returns any ticket by ID with full detailstrashTicket()/deleteTicketForever()- delete any ticketeditTicketProperties()- modify any ticket's agent, status, priority, groupcreateAgentRecord()- any API user can create agents with ROLE_ADMINupdateAgentRecord()/deleteAgentRecord()- modify/delete any agentsaveThread()- create threads on any ticketdownloadAttachment()- download any attachment
2. MEDIUM - Agent delete missing admin check
File: vendor/uvdesk/core-framework/Controller/AccountXHR.php:46
deleteAgent() has no isAccessAuthorized('ROLE_AGENT_MANAGE_AGENT') check while list/create/edit all have it.
3. MEDIUM - Thread list IDORs
core-framework/Controller/ThreadXHR.php:20- agent thread list noisTicketAccessGranted()support-center-bundle/Controller/Ticket.php:425- customer thread list no ownership check
4. LOW - Label and saved filter IDORs
TicketXHR.php:77- edit/delete other agents' labelsAccountXHR.php:105- edit/delete other agents' saved filters
Fix
Add isTicketAccessGranted() to all ticket API operations. Add isAccessAuthorized('ROLE_AGENT_MANAGE_AGENT') to agent API operations and deleteAgent(). Add ownership checks to label/filter operations.