Description
Several user management endpoints lack the @check_access decorator, allowing unauthenticated access:
GET /api/v3/users/ - list all usersGET /api/v3/users/<id> - get specific userPATCH /api/v3/users/<id> - update userPOST /api/v3/users/<id>/reset_password - reset password for any userGET /api/v3/users/search - search usersDELETE /api/v3/users/<id> - delete user (has @check_access(["admin"]) but others don't)
Affected Code
src/quads/server/blueprints/users.py:52-117,119-143,145-159,161-189,191-204
Impact
- Information disclosure of all user accounts
- Unauthorized user modification
- Ability to reset any user's password
Recommended Fix
Add @check_access(["admin"]) to all user management endpoints that should be restricted, or @check_access([]) (authenticated) for self-service endpoints.
Description
Several user management endpoints lack the
@check_accessdecorator, allowing unauthenticated access:GET /api/v3/users/- list all usersGET /api/v3/users/<id>- get specific userPATCH /api/v3/users/<id>- update userPOST /api/v3/users/<id>/reset_password- reset password for any userGET /api/v3/users/search- search usersDELETE /api/v3/users/<id>- delete user (has@check_access(["admin"])but others don't)Affected Code
src/quads/server/blueprints/users.py:52-117,119-143,145-159,161-189,191-204Impact
Recommended Fix
Add
@check_access(["admin"])to all user management endpoints that should be restricted, or@check_access([])(authenticated) for self-service endpoints.