Skip to content

Commit c2b792e

Browse files
github-actions[bot]claude
authored andcommitted
(fix): address review findings — 1 HIGH, 0 MEDIUM
Restore strict-equivalence regex in MongoPermissionFilter to match the hardening applied in main by 6d50ac1 ("Force strict equivalence in mongo role checks"). The query-lib refactor extracted the three Mongo.php call sites into this hook but reverted the pattern to the pre-fix form that matches stored permissions whose role substring contains any of the caller's roles, enabling a read-side authorization bypass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
1 parent 15e6aa7 commit c2b792e

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

src/Database/Hook/MongoPermissionFilter.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ public function applyFilters(array $filters, string $collection, string $forPerm
4848
$permissionsFilter = isset($filters['_permissions']) && \is_array($filters['_permissions'])
4949
? $filters['_permissions']
5050
: [];
51-
$permissionsFilter['$in'] = [new Regex("{$forPermission}\\(\".*(?:{$roles}).*\"\\)", 'i')];
51+
$permissionsFilter['$in'] = [new Regex("{$forPermission}\\(\"(?:{$roles})\"\\)", 'i')];
5252
$filters['_permissions'] = $permissionsFilter;
5353

5454
return $filters;

0 commit comments

Comments
 (0)