Skip to content

fix: restrict backup restore to admins#601

Closed
Bladestar2105 wants to merge 1 commit into
mainfrom
codex/fix-user-backup-restore-authorization-flaw
Closed

fix: restrict backup restore to admins#601
Bladestar2105 wants to merge 1 commit into
mainfrom
codex/fix-user-backup-restore-authorization-flaw

Conversation

@Bladestar2105
Copy link
Copy Markdown
Owner

@Bladestar2105 Bladestar2105 commented May 6, 2026

Motivation

  • Close an authorization rollback vulnerability where non-admin users could restore backups and reinsert user_channels rows that re-granted previously revoked streaming access.

Description

  • Make restoreBackup admin-only by rejecting requests when req.user.is_admin is false, leaving listing and creation endpoints unchanged.
  • Update docs/API_REFERENCE.md to document that the restore endpoint is admin-only.
  • Add a focused controller test tests/controllers/backupController.test.js that asserts non-admin restores are denied and admin restores are allowed.

Testing

  • Ran npm run lint which completed (repository contains pre-existing warnings but lint finished successfully).
  • Ran npm exec vitest run tests/controllers/backupController.test.js and the new tests passed (2 tests).

Codex Task

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f8a55ee79f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/controllers/backupController.js
const backupId = Number(req.params.id);

if (!req.user.is_admin && req.user.id !== userId) return res.status(403).json({ error: 'Access denied' });
if (!req.user.is_admin) return res.status(403).json({ error: 'Access denied' });
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep non-admin backup flow usable after restore permission change

This change makes POST /api/users/:userId/backups/:id/restore return 403 for every non-admin request, but non-admin users are still routed through the backup UI flow (see loadUsers() handling of non-admins and restore button/API call in public/app.js), so they can create backups yet always hit an access-denied error when trying to restore them. That is a user-facing regression introduced by this authorization change; either the non-admin restore action needs to be removed/disabled in the UI (and related messaging updated) or the server-side policy needs a compatible fallback.

Useful? React with 👍 / 👎.

@Bladestar2105 Bladestar2105 deleted the codex/fix-user-backup-restore-authorization-flaw branch May 6, 2026 06:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Bladestar2105