Description
The create_self_assignment endpoint accepts an owner field from the request body but never validates that the owner matches the authenticated user. A regular user can create an assignment with owner: "adminuser", making it appear as though adminuser owns the allocation.
Affected Code
src/quads/server/blueprints/assignments.py:286-471 (create_self_assignment)
Impact
- SSH key distribution installs wrong user's keys
- Assignment termination by wrong user
- Audit trail integrity is compromised
- JIRA ticket attribution is incorrect
Recommended Fix
Validate that data.get("owner") matches g.current_user.email.split("@")[0] when the caller is not an admin. Reject requests where the authenticated user does not match the specified owner.
Description
The
create_self_assignmentendpoint accepts anownerfield from the request body but never validates that the owner matches the authenticated user. A regular user can create an assignment withowner: "adminuser", making it appear as thoughadminuserowns the allocation.Affected Code
src/quads/server/blueprints/assignments.py:286-471(create_self_assignment)Impact
Recommended Fix
Validate that
data.get("owner")matchesg.current_user.email.split("@")[0]when the caller is not an admin. Reject requests where the authenticated user does not match the specified owner.