[Bug]: addForum accepts client-supplied user_id as the forum topic author, allowing any authenticated user to impersonate another user

[anshul23102]

Bug Summary

addForum in backend/controllers/forum.controller.js reads the topic author from the request body rather than from the authenticated session:

async function addForum(req, res, next) {
    const topicData = {
        title: req.body.title,
        description: req.body.description,
        user: req.body.user_id || req.body.user   // client-supplied identity
    };
    const topic = await ForumTopic.create(topicData);
    res.status(201).json(topic);
}

req.user (the verified JWT payload) is never used. Any authenticated user can supply another user's MongoDB ObjectId in user_id or user, and the forum topic will be attributed to that user. The impersonated user's name will then appear as the topic author in listForums (which populates user.name).

Steps to Reproduce

1. Log in as User A and obtain a valid session cookie.
2. Look up User B's _id (visible in any alumni directory response).
3. POST to /api/v1/forums with { "title": "...", "description": "...", "user_id": "<User B _id>" }.
4. Observe that the created topic shows User B's name as the author.

Expected Behavior

The user field on a new forum topic should always be set to req.user.id (the authenticated caller), never to a client-supplied value. The server is the authoritative source of identity.

Actual Behavior

Any authenticated user can author forum topics under any other user's identity by supplying a different user_id in the request body.

Affected File

backend/controllers/forum.controller.js, addForum function.

---

Hi @omkarhole, I would like to work on this fix under NSoC '26. Could you please assign/ this issue to me? Thank you.

[anshul23102]

@omkarhole I would like to work on this issue. Could you please assign/ it to me? Contributing under NSoC '26.