Summary
The Helpy API has missing team-based authorization checks on several ticket manipulation endpoints, allowing team-restricted agents to access and modify tickets belonging to other teams.
Vulnerability Details
1. API Split Endpoint - Missing Team Check
File: app/controllers/api/v1/topics.rb line 238
The POST /api/v1/tickets/split/:post_id endpoint loads a post by ID without checking if the parent ticket belongs to the agent's team:
post "split/:post_id", root: :topics do
post = Post.where(id: permitted_params[:post_id]).first # No team check
parent_topic = post.topic
# Creates new topic from the post without team validation
end
Secure comparison: The assign endpoint (line 139-143) properly checks team membership:
post "assign/:id", root: :topics do
if current_user.is_restricted?
ticket = Topic.where(id: permitted_params[:id]).all.tagged_with(current_user.team_list).first
else
ticket = Topic.where(id: permitted_params[:id]).first
end
The same is_restricted? + tagged_with(current_user.team_list) pattern is consistently used in show (line 64-68), update_status (line 162-167), update_tags (line 193-198), and update_forum (line 215-220) but is missing from split and merge.
2. API Merge Endpoint - Missing Team Check
File: app/controllers/api/v1/topics.rb line 282
The POST /api/v1/tickets/merge endpoint merges tickets without any team validation:
post "merge", root: :topics do
@ticket = Topic.merge_topics(params[:topic_ids], params[:user_id])
# Merges ANY tickets regardless of team restrictions
end
3. Admin merge_tickets/split_topic - Missing from before_action
File: app/controllers/admin/topics_controller.rb line 36
The get_topics_cohort before_action protects bulk operations but excludes merge_tickets and split_topic:
before_action :get_topics_cohort, only: ['update_topic', 'assign_agent', 'unassign_agent', 'toggle_privacy', 'assign_team', 'unassign_team']
# merge_tickets and split_topic are NOT in this list
Impact
A team-restricted agent can:
- Split posts from tickets belonging to other teams, creating new accessible tickets
- Merge tickets across team boundaries, gaining access to other teams' ticket content
- These operations bypass the team-based data isolation that other endpoints enforce
Suggested Fix
Add the is_restricted? + tagged_with team check to split and merge endpoints, and add merge_tickets and split_topic to the get_topics_cohort before_action list.
Found during automated security research by Lighthouse
Summary
The Helpy API has missing team-based authorization checks on several ticket manipulation endpoints, allowing team-restricted agents to access and modify tickets belonging to other teams.
Vulnerability Details
1. API Split Endpoint - Missing Team Check
File:
app/controllers/api/v1/topics.rbline 238The
POST /api/v1/tickets/split/:post_idendpoint loads a post by ID without checking if the parent ticket belongs to the agent's team:Secure comparison: The
assignendpoint (line 139-143) properly checks team membership:The same
is_restricted?+tagged_with(current_user.team_list)pattern is consistently used inshow(line 64-68),update_status(line 162-167),update_tags(line 193-198), andupdate_forum(line 215-220) but is missing fromsplitandmerge.2. API Merge Endpoint - Missing Team Check
File:
app/controllers/api/v1/topics.rbline 282The
POST /api/v1/tickets/mergeendpoint merges tickets without any team validation:3. Admin merge_tickets/split_topic - Missing from before_action
File:
app/controllers/admin/topics_controller.rbline 36The
get_topics_cohortbefore_action protects bulk operations but excludesmerge_ticketsandsplit_topic:Impact
A team-restricted agent can:
Suggested Fix
Add the
is_restricted?+tagged_withteam check to split and merge endpoints, and addmerge_ticketsandsplit_topicto theget_topics_cohortbefore_action list.Found during automated security research by Lighthouse