Enforce the AccessJSONAPI permission on state-changing JSON API routes (#2919)

* Enforce the AccessJSONAPI permission on state-changing JSON API routes

The state-changing JSON API routes (update, update_many, remove,
doActionFor, doActionFor_many) and the user-enumeration route (getusers)
did not enforce the 'senaite.core: Access JSON API' permission, unlike
the create route. The @@API view is published with zope2.View, which
Anonymous holds on the site root, so these routes were reachable by
anonymous and under-privileged callers (CWE-862 Missing Authorization).

Add a shared check_jsonapi_permission() helper in bika.lims.jsonapi and
call it on the resolved target object before any mutation or state
change in every state-changing route. getusers is checked against the
site root before enumerating members. The create route is refactored to
use the same helper, so the permission check now has a single source of
truth. The check is placed outside the routes' try/except blocks so the
Unauthorized is not masked as a BadRequest.

Add a regression test (test_jsonapi_security) covering all gated routes
for anonymous and under-privileged (Member) callers, asserting the call
is rejected, plus a check that a privileged caller still passes the gate
and that the shared helper behaves correctly.

* Authenticate jsonapi security tests via Basic Auth

The privileged/member browser tests rendered the Plone login form,
which under the test layer triggers an unrelated z3c.form widget
template error ('TextWidget' object has no attribute 'attrs' in
datetimewidget_input.pt) and fails in CI. Authenticate through an HTTP
Basic Auth header instead, which the JSON API tests do not need a
rendered form for, keeping the tests focused on the permission check.

Author: ramonski

CHANGES.rst

@@ -4,6 +4,7 @@ Changelog
 2.7.0 (unreleased)
 ------------------
 
+- #2919 Enforce the AccessJSONAPI permission on state-changing JSON API routes
 - #2918 Fix Lab Information setup data import after Laboratory migration to Dexterity
 - #2917 Fix `ClientID` is not displayed in samples listing, but client name
 - #2916 Fix msgid collision on `description_calculation_imports` in Calculation content type

src/bika/lims/jsonapi/__init__.py

@@ -18,20 +18,37 @@
 # Copyright 2018-2025 by it's authors.
 # Some rights reserved, see README and LICENSE.
 
+import json
+import sys
+import traceback
+
+import Missing
+import six
+from AccessControl import Unauthorized
+from AccessControl import getSecurityManager
+from bika.lims import api
+from bika.lims import logger
+from bika.lims.utils import to_utf8
 from plone.app.textfield import RichTextValue
 from Products.Archetypes.config import TOOL_NAME
 from Products.CMFCore.utils import getToolByName
 from senaite.core.browser.fields.parsing import parse_record_literal
+from senaite.core.permissions import AccessJSONAPI
 
-from bika.lims import api
-from bika.lims.utils import to_utf8
-from bika.lims import logger
 
-import json
-import Missing
-import six
-import sys
-import traceback
+def check_jsonapi_permission(obj):
+    """Check the AccessJSONAPI permission on the given object
+
+    Raises Unauthorized if the current user does not hold the
+    `senaite.core: Access JSON API` permission on the passed-in object.
+    This guards the state-changing JSON API routes against anonymous and
+    under-privileged callers (CWE-862).
+    """
+    if getSecurityManager().checkPermission(AccessJSONAPI, obj):
+        return
+    msg = "You don't have the '{0}' permission on {1}".format(
+        AccessJSONAPI, obj.absolute_url())
+    raise Unauthorized(msg)
 
 
 def handle_errors(f):

src/bika/lims/jsonapi/create.py

@@ -19,16 +19,14 @@
 # Some rights reserved, see README and LICENSE.
 
 import transaction
-from AccessControl import Unauthorized
-from AccessControl import getSecurityManager
-from senaite.core.idserver import renameAfterCreation
+from bika.lims.jsonapi import check_jsonapi_permission
 from bika.lims.jsonapi import set_fields_from_request
 from bika.lims.utils import tmpID
 from plone.jsonapi.core import router
 from plone.jsonapi.core.interfaces import IRouteProvider
 from Products.Archetypes.event import ObjectInitializedEvent
 from Products.CMFPlone.utils import _createObjectByType
-from senaite.core.permissions import AccessJSONAPI
+from senaite.core.idserver import renameAfterCreation
 from zExceptions import BadRequest
 from zope import event
 from zope import interface
@@ -176,10 +174,7 @@ def create(self, context, request):
         site_path = request['PATH_INFO'].replace("/@@API/create", "")
         parent = context.restrictedTraverse(str(site_path + obj_path))
         # normal permissions still apply for this user
-        if not getSecurityManager().checkPermission(AccessJSONAPI, parent):
-            msg = "You don't have the '{0}' permission on {1}".format(
-                AccessJSONAPI, parent.absolute_url())
-            raise Unauthorized(msg)
+        check_jsonapi_permission(parent)
 
         obj_id = request.get("obj_id", "")
         _renameAfterCreation = False

src/bika/lims/jsonapi/doactionfor.py

@@ -18,15 +18,16 @@
 # Copyright 2018-2025 by it's authors.
 # Some rights reserved, see README and LICENSE.
 
+import json
+
+import transaction
+from bika.lims.jsonapi import check_jsonapi_permission
 from bika.lims.jsonapi.read import read
 from plone.jsonapi.core import router
 from plone.jsonapi.core.interfaces import IRouteProvider
 from Products.CMFCore.utils import getToolByName
 from zExceptions import BadRequest
 from zope import interface
-import json
-
-import transaction
 
 
 class doActionFor(object):
@@ -73,8 +74,10 @@ def do_action_for(self, context, request):
         if len(objects) == 0:
             raise BadRequest("No matching objects found")
         for obj_dict in objects:
+            obj = uc(UID=obj_dict['UID'])[0].getObject()
+            # normal permissions still apply for this user
+            check_jsonapi_permission(obj)
             try:
-                obj = uc(UID=obj_dict['UID'])[0].getObject()
                 workflow.doActionFor(obj, action)
                 obj.reindexObject()
             except Exception as e:
@@ -114,6 +117,8 @@ def do_action_for_many(self, context, request):
             if not obj_path.startswith("/"):
                 obj_path = "/" + obj_path
             obj = context.restrictedTraverse(str(site_path + obj_path))
+            # normal permissions still apply for this user
+            check_jsonapi_permission(obj)
             if obj_path.startswith(site_path):
                 obj_path = obj_path[len(site_path):]
             try:

src/bika/lims/jsonapi/getusers.py

@@ -18,6 +18,7 @@
 # Copyright 2018-2025 by it's authors.
 # Some rights reserved, see README and LICENSE.
 
+from bika.lims.jsonapi import check_jsonapi_permission
 from plone.jsonapi.core import router
 from plone.jsonapi.core.interfaces import IRouteProvider
 from Products.CMFCore.utils import getToolByName
@@ -67,12 +68,15 @@ def getusers(self, context, request):
         >>> browser.contents
         'No roles specified'
         """
+        # normal permissions still apply for this user
+        check_jsonapi_permission(context)
+
         roles = request.get('roles','')
 
         if len(roles) == 0:
             raise BadRequest("No roles specified")
-        
-        mtool = getToolByName(context, 'portal_membership') 
+
+        mtool = getToolByName(context, 'portal_membership')
         users = []
         for user in mtool.searchForMembers(roles=roles):
             uid = user.getId()

src/bika/lims/jsonapi/remove.py

@@ -18,12 +18,13 @@
 # Copyright 2018-2025 by it's authors.
 # Some rights reserved, see README and LICENSE.
 
+import transaction
+from bika.lims.jsonapi import check_jsonapi_permission
 from plone.jsonapi.core import router
 from plone.jsonapi.core.interfaces import IRouteProvider
 from Products.CMFCore.utils import getToolByName
 from zExceptions import BadRequest
 from zope import interface
-import transaction
 
 
 class Remove(object):
@@ -78,14 +79,17 @@ def remove(self, context, request):
             "success": True,
             "error": False,
         }
-        
+
         data = uc(UID=_uid)
         if not data:
             raise BadRequest("No objects found")
-        
+
         for proxy in data:
+            obj = proxy.getObject()
+            # normal permissions still apply for this user
+            check_jsonapi_permission(obj)
             try:
-                parent = proxy.getObject().aq_parent
+                parent = obj.aq_parent
                 parent.manage_delObjects([proxy.id])
             except Exception as e:
                 savepoint.rollback()

src/bika/lims/jsonapi/update.py

@@ -18,15 +18,17 @@
 # Copyright 2018-2025 by it's authors.
 # Some rights reserved, see README and LICENSE.
 
+import json
+
+import six
+import transaction
+from bika.lims.jsonapi import check_jsonapi_permission
 from bika.lims.jsonapi import set_fields_from_request
-from Products.CMFCore.utils import getToolByName
 from plone.jsonapi.core import router
 from plone.jsonapi.core.interfaces import IRouteProvider
+from Products.CMFCore.utils import getToolByName
 from zExceptions import BadRequest
 from zope import interface
-import json
-import six
-import transaction
 
 
 class Update(object):
@@ -146,6 +148,9 @@ def update(self, context, request):
             ret['error'] = True
             return ret
 
+        # normal permissions still apply for this user
+        check_jsonapi_permission(obj)
+
         try:
             fields = set_fields_from_request(obj, request)
             if not fields:
@@ -225,6 +230,8 @@ def update_many(self, context, request):
             if obj_path.startswith(site_path):
                 obj_path = obj_path[len(site_path):]
             obj = context.restrictedTraverse(str(site_path + obj_path))
+            # normal permissions still apply for this user
+            check_jsonapi_permission(obj)
             this_ret = {
                 "url": router.url_for("update_many", force_external=True),
                 "success": False,