Summary
The add() method in ItemController.php (line 44) retrieves a Collection using find() which bypasses Doctrine ownership filters, allowing any authenticated user to create items in other users' collections.
Vulnerability Details
// ItemController.php:44 (VULNERABLE)
$collection = $collectionRepository->find($request->query->get('collection'));
// PhotoController.php:25-28 (SECURE)
$album = $albumRepository->findOneBy([
'id' => $request->query->get('album'),
'owner' => $this->getUser(),
]);PhotoController.add() correctly scopes to the current user via 'owner' => $this->getUser(). ItemController.add() uses the base find() without owner filtering.
Impact
Any authenticated user can create items in any other user's collection by specifying their collection ID in the query parameter (/items/add?collection={uuid}).
Recommended Fix
$collection = $collectionRepository->findOneBy([
'id' => $request->query->get('collection'),
'owner' => $this->getUser(),
]);
Found via automated security research. CWE-639: Authorization Bypass Through User-Controlled Key.
Summary
The
add()method inItemController.php(line 44) retrieves a Collection usingfind()which bypasses Doctrine ownership filters, allowing any authenticated user to create items in other users' collections.Vulnerability Details
PhotoController.add()correctly scopes to the current user via'owner' => $this->getUser().ItemController.add()uses the basefind()without owner filtering.Impact
Any authenticated user can create items in any other user's collection by specifying their collection ID in the query parameter (
/items/add?collection={uuid}).Recommended Fix
Found via automated security research. CWE-639: Authorization Bypass Through User-Controlled Key.