Skip to content

[Security] Authorization bypass in validate_obj_owner() — IDOR on models without owner field #603

Description

@sunplacesolutions

CWE-639 — Broken Object-Level Authorization
File: community/views.py:67-76

validate_obj_owner() silently catches AttributeError when a model lacks an owner field, returning the object without authorization:

def validate_obj_owner(obj, user):
    try:
        if not obj.owner == user:
            raise Http404()
    except AttributeError:
        pass        # ← bypasses check
    return obj

Impact: Company model has no owner field → CompanyUpdateView and CompanyDeleteView (both inherit OwnedObject) allow any authenticated user to edit/delete any company.

Fix:

def validate_obj_owner(obj, user):
    if not hasattr(obj, 'owner'):
        raise Http404()
    if obj.owner != user:
        raise Http404()
    return obj

Reporter: Juan Lucas Armendares — Sunplace Solutions

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions