[Bug] Broken Object Level Authorization (BOLA) in Employee Onboarding Checklist Retrieval

[anshul23102]

Description

The route GET /api/onboarding/:employeeId allows users with the EMPLOYEE_READ permission to retrieve an onboarding checklist. However, the controller does not verify if the requesting user's employee profile ID matches the requested employeeId.

An employee with the EMPLOYEE_READ permission can retrieve the onboarding checklist, target dates, onboarding tasks, and notes of any other employee in the system by changing the employeeId parameter in the URL.

Source Code Location

• File: server/src/module/onboarding/onboarding.controller.ts
• File: server/src/module/onboarding/onboarding.service.ts

Reproduction Steps

1. Authenticate as Employee A, who has EMPLOYEE_READ permission.
2. Send a request to GET /api/onboarding/<EmployeeId_of_Employee_B>.
3. The server successfully returns Employee B's onboarding checklist items and sensitive progress tracking data without any authorization check.

Proposed Fix

Ensure that non-HR users can only access their own onboarding checklist. Query the employee table to find the employee record associated with req.user.id and verify it matches the parameter:

const employee = await prisma.employee.findUnique({
  where: { userId: req.user.id },
  select: { id: true }
});
const userPermissions = await getUserPermissions(req.user.id);
const isHR = userPermissions.some(p => ["HR_READ", "HR_WRITE", "HR_ADMIN"].includes(p));

if (!isHR && employee?.id !== employeeId) {
  res.status(403).json({ message: "Access denied" });
  return;
}

[anshul23102]

I would like to work on this issue. I am contributing under GSSoC '26. Please assign this to me.