Security: API bundle systematic authorization bypass - ticket IDOR + customer/agent info disclosure #906
Description
Summary
The UVdesk API bundle (uvdesk/api-bundle) is systematically missing authorization checks that are properly implemented in the core framework's web UI controllers. Any authenticated API user can view, modify, trash, and permanently delete any ticket, and access any customer/agent personal information.
Details
Finding 1: Unauthorized Ticket Viewing (IDOR)
File: vendor/uvdesk/api-bundle/API/Tickets.php, method viewTicket() (line 340)
public function viewTicket($ticketId, ...) {
$ticket = $ticketRepository->findOneById($ticketId); // Line 345 - NO AUTH CHECK
// Returns full ticket details, threads, customer info, agent assignments
}Secure sibling: vendor/uvdesk/core-framework/Controller/TicketXHR.php line 61:
if (false == $this->ticketService->isTicketAccessGranted($ticket)) {
throw new \Exception('Access Denied', 403);
}The web UI calls isTicketAccessGranted() 13+ times across TicketXHR.php, Ticket.php, and Thread.php. The API bundle calls it zero times.
Finding 2: Unauthorized Ticket Modification (IDOR)
File: vendor/uvdesk/api-bundle/API/Tickets.php, method editTicketProperties() (line 767)
Fetches ticket by ID without authorization. Allows any authenticated user to reassign agents, change status/priority, and change support group/team assignments.
Secure sibling: TicketXHR.php line 205 calls isTicketAccessGranted() before modifications.
Finding 3: Unauthorized Ticket Deletion
File: vendor/uvdesk/api-bundle/API/Tickets.php
trashTicket()(line 133):find($ticketId)with no auth check → soft delete any ticketdeleteTicketForever()(line 512): Same pattern → permanent deletion of any trashed ticket
Finding 4: Customer Details Info Disclosure
File: vendor/uvdesk/api-bundle/API/Customers.php, method loadCustomerDetails() (line 50)
Fetches any customer by ID, returns firstName, lastName, email, phone number, verification status. No ownership or role check.
Finding 5: Agent Details Info Disclosure
File: vendor/uvdesk/api-bundle/API/Agents.php, method loadAgentDetails() (line 51)
Same pattern - exposes all agent PII without authorization check.
Impact
Any authenticated API user can:
- Read any ticket (customer PII, conversations, internal notes)
- Modify any ticket (reassign, change status/priority/groups)
- Delete any ticket (soft + permanent delete = data loss)
- Enumerate all customer and agent PII (emails, phone numbers)
This bypasses the RBAC system (GLOBAL_ACCESS, GROUP_ACCESS, TEAM_ACCESS, INDIVIDUAL_ACCESS levels) that the core framework properly implements.
Suggested Fix
Add $this->ticketService->isTicketAccessGranted($ticket) to all API ticket endpoints. Add appropriate role/ownership checks to customer and agent detail endpoints.
CWE-862 (Missing Authorization), CWE-639 (Authorization Bypass Through User-Controlled Key)