|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (9 fixed, 33 open).
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (10 fixed, 32 open).
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -1427,6 +1427,23 @@
|
|
|
silently allows access until an API 403 surfaces. Defense-in-depth:
|
|
|
enforce the role expectation in the UI controller.
|
|
|
- **Severity: 1**
|
|
|
+- **Status:** Fixed. New `PoliciesController::PROXY_ALLOWED_ROLES =
|
|
|
+ ['viewer', 'operator', 'admin']` constant captures the api's
|
|
|
+ Viewer-or-higher gate. Both proxy methods now early-return 403 with
|
|
|
+ a `{"error": "forbidden"}` JSON body when the session user's role
|
|
|
+ isn't in that allowlist — covering `none`, the empty string, and
|
|
|
+ any unrecognised role string. The api is not called in that branch,
|
|
|
+ so a `none`-role session that somehow reached the protected
|
|
|
+ `/app/*` route group cannot use the proxy as a probe channel.
|
|
|
+ AuthRequiredMiddleware still intercepts truly-anonymous requests
|
|
|
+ earlier in the chain (302 → /login); the controller's own 401
|
|
|
+ branch is the defence-in-depth fallback for any future route
|
|
|
+ reshuffle that pulls the proxy out of `/app/*`. Regression tests:
|
|
|
+ `ui/tests/Integration/Auth/PoliciesProxyTest.php` covers
|
|
|
+ anonymous-redirect, none-role-403 + zero-api-calls,
|
|
|
+ score-distribution-proxy mirror, viewer-allowed,
|
|
|
+ operator-and-admin-allowed, unknown-role-rejected, and
|
|
|
+ empty-role-rejected.
|
|
|
|
|
|
### F43 — `/admin/ips/{ip:.+}` route pattern is permissive
|
|
|
- **Files:** `api/src/App/AppFactory.php:256`,
|
chiappa