Skip to content

Hotfix/issue#315 security bulk operations#319

Open
we-shivang-g001-v1 wants to merge 21 commits into
2.xfrom
hotfix/issue#315-security-bulk-operations
Open

Hotfix/issue#315 security bulk operations#319
we-shivang-g001-v1 wants to merge 21 commits into
2.xfrom
hotfix/issue#315-security-bulk-operations

Conversation

@we-shivang-g001-v1
Copy link
Copy Markdown

@we-shivang-g001-v1 we-shivang-g001-v1 commented Apr 8, 2026

Fix: Add missing permission checks to bulk operations across controllers

Description

This PR fixes critical authorization gaps where bulk operations were skipping permission checks, allowing unauthorized users to perform destructive actions.

Changes Implemented

  • Added permission checks to bulk endpoints to match single-item operations
  • Ensured consistent use of hasPermission() / hasPermissions() across controllers

Fixed Issues

  1. UsersController::deleteList()

    • Added can-delete-users permission check

  2. FailedJobsController

    • updateList() → Added can-update-failed-jobs
    • listAction() → Added action-based permission checks

  3. BatchesController

    • deleteList() → Added delete permission check
    • listAction() → Added action-based permission validation

Root Cause

Bulk operations did not enforce authorization checks, while single-item operations already had proper permission validation. This PR aligns both behaviors.

Impact

  • Prevents unauthorized bulk delete/update/actions
  • Ensures consistent and secure permission handling across the application

@we-shivang-g001-v1
Updated: added the permission on the delete list
1241471
@we-shivang-g001-v1
Updated: added permission and update the update list function permission
fd3f51b
@we-shivang-g001-v1
Updated: listAction and delete List permissions
ad1ef74
@we-shivang-g001-v1
Updated: list action
4d7ffca
@we-shivang-g001-v1
Updated: batch list action
5d8f189
@we-shivang-g001-v1
Updated: deleteList()
5580a79
@we-shivang-g001-v1
Updated: rempve delete permission from list action
2772afa
@we-shivang-g001-v1
Updated batch controller
bf29c7e
@we-shivang-g001-v1
Updated: batch controller, failed job controller, job controller
20c8e4f
@we-shivang-g001-v1
Updated: code
c018489
@we-shivang-g001-v1
Updated: Media controller
187f3cd
@we-shivang-g001-v1
Updated: code
2129607
@we-shivang-g001-v1
Merge remote-tracking branch 'origin/hotfix/issue#315-security-bulk-o…
8aa778f 
…perations' into hotfix/issue#315-security-bulk-operations
@we-shivang-g001-v1
Updated remove
da9a504
@we-shivang-g001-v1
Updated: permission
21d00e8
@we-shivang-g001-v1
Updated: Batch Ui permissions
8fd201b
@we-shivang-g001-v1
Updated: Failed jobs Ui permissions
973c2c6
@we-shivang-g001-v1
Updated: Jobs Ui permissions
fcc5562
@we-shivang-g001-v1
Updated: Logs Ui permissions
b24d8e1
@we-shivang-g001-v1
Updated: permission arrangement
828a95b
@we-shivang-g001-v1
Updated: Build and Version
ac3fc6f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@we-shivang-g001-v1