Skip to content

Security: Unauthenticated Template Deletion#8657

Merged
AngelFQC merged 2 commits into
masterfrom
security/auto-fix-GHSA-37fh-r78h-9vvr
Jun 24, 2026
Merged

Security: Unauthenticated Template Deletion#8657
AngelFQC merged 2 commits into
masterfrom
security/auto-fix-GHSA-37fh-r78h-9vvr

Conversation

@AngelFQC

@AngelFQC AngelFQC commented Jun 24, 2026

Copy link
Copy Markdown
Member

Requires the requester to be a teacher of the course that owns the referenced document (CourseVoter::EDIT, i.e. course teacher or admin) before deleting its document template, matching the isCurrentTeacher gate used in the frontend. The course is resolved from the document itself, so an attacker cannot bypass the check by supplying a different course context. Closes an endpoint that previously allowed any unauthenticated user to delete arbitrary templates.

Refs GHSA-37fh-r78h-9vvr

@AngelFQC AngelFQC merged commit b80a937 into master Jun 24, 2026
4 of 12 checks passed
@AngelFQC AngelFQC deleted the security/auto-fix-GHSA-37fh-r78h-9vvr branch June 24, 2026 21:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant