coolify

rosslh/coolify

Fork 0

Commit graph

Author	SHA1	Message	Date
Andras Bacsai	e88f50912c	fix: add authentication context to TeamPolicyTest The tests were failing because User::role() depends on Auth::user() and currentTeam() session being set. Added actingAs() and session setup to each test to properly authenticate users before checking permissions. This fixes the 'Attempt to read property "teams" on null' errors.	2025-10-15 15:08:35 +02:00
Andras Bacsai	336fa0c714	fix: critical privilege escalation in team invitation system This commit addresses a critical security vulnerability where low-privileged users (members) could invite high-privileged users (admins/owners) to teams, allowing them to escalate their own privileges through password reset. Root Causes Fixed: 1. TeamPolicy authorization checks were commented out, allowing all team members to manage invitations instead of just admins/owners 2. Missing role elevation checks in InviteLink component allowed members to invite users with higher privileges Security Fixes: 1. app/Policies/TeamPolicy.php - Uncommented and enforced authorization checks for: * update() - Only admins/owners can update team settings * delete() - Only admins/owners can delete teams * manageMembers() - Only admins/owners can manage team members * viewAdmin() - Only admins/owners can view admin panel * manageInvitations() - Only admins/owners can manage invitations 2. app/Livewire/Team/InviteLink.php - Added explicit role elevation checks to prevent: * Members from inviting admins or owners * Admins from inviting owners (defense-in-depth) - Validates that inviter has sufficient privileges for target role Test Coverage: 1. tests/Feature/TeamPolicyTest.php - 24 comprehensive tests covering all policy methods - Tests for owner, admin, member, and non-member access - Specific tests for the privilege escalation vulnerability 2. tests/Feature/TeamInvitationPrivilegeEscalationTest.php - 11 tests covering all role elevation scenarios - Tests member → admin/owner escalation (blocked) - Tests admin → owner escalation (blocked) - Tests valid invitation paths for each role Impact: - Prevents privilege escalation attacks - Protects all Coolify instances from unauthorized access - Enforces proper role hierarchy in team management References: - Identified by Aikido AI whitebox pentest service - CVE: Pending assignment - Severity: Critical 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-15 11:42:25 +02:00

Author

SHA1

Message

Date

Andras Bacsai

e88f50912c

fix: add authentication context to TeamPolicyTest

The tests were failing because User::role() depends on Auth::user() and
currentTeam() session being set. Added actingAs() and session setup to
each test to properly authenticate users before checking permissions.

This fixes the 'Attempt to read property "teams" on null' errors.

2025-10-15 15:08:35 +02:00

Andras Bacsai

336fa0c714

fix: critical privilege escalation in team invitation system

This commit addresses a critical security vulnerability where low-privileged
users (members) could invite high-privileged users (admins/owners) to teams,
allowing them to escalate their own privileges through password reset.

Root Causes Fixed:
1. TeamPolicy authorization checks were commented out, allowing all team
   members to manage invitations instead of just admins/owners
2. Missing role elevation checks in InviteLink component allowed members
   to invite users with higher privileges

Security Fixes:

1. app/Policies/TeamPolicy.php
   - Uncommented and enforced authorization checks for:
     * update() - Only admins/owners can update team settings
     * delete() - Only admins/owners can delete teams
     * manageMembers() - Only admins/owners can manage team members
     * viewAdmin() - Only admins/owners can view admin panel
     * manageInvitations() - Only admins/owners can manage invitations

2. app/Livewire/Team/InviteLink.php
   - Added explicit role elevation checks to prevent:
     * Members from inviting admins or owners
     * Admins from inviting owners (defense-in-depth)
   - Validates that inviter has sufficient privileges for target role

Test Coverage:

1. tests/Feature/TeamPolicyTest.php
   - 24 comprehensive tests covering all policy methods
   - Tests for owner, admin, member, and non-member access
   - Specific tests for the privilege escalation vulnerability

2. tests/Feature/TeamInvitationPrivilegeEscalationTest.php
   - 11 tests covering all role elevation scenarios
   - Tests member → admin/owner escalation (blocked)
   - Tests admin → owner escalation (blocked)
   - Tests valid invitation paths for each role

Impact:
- Prevents privilege escalation attacks
- Protects all Coolify instances from unauthorized access
- Enforces proper role hierarchy in team management

References:
- Identified by Aikido AI whitebox pentest service
- CVE: Pending assignment
- Severity: Critical

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-10-15 11:42:25 +02:00

2 commits