Skip to content

fix: remove client-side role checks to prevent privilege escalation #9

Closed
wicky-zipstack wants to merge 2 commits intomainfrom
fix/remove-client-role-checks
Closed

fix: remove client-side role checks to prevent privilege escalation #9
wicky-zipstack wants to merge 2 commits intomainfrom
fix/remove-client-role-checks

Conversation

@wicky-zipstack
Copy link
Contributor

@wicky-zipstack wicky-zipstack commented Mar 26, 2026

What

  • Remove user_role === "visitran_super_admin" checks from MenuTree.jsx and route-component.jsx
  • Remove Role field from Profile page that displayed interceptable session data

Why

How

MenuTree.jsx: Removed userRole === "visitran_super_admin" condition. UAC menu items now show based only on whether the plugin component exists (hasRoles, hasResources, etc.). In OSS, plugins don't exist so menu items don't show. In cloud, backend returns 403 on the actual data endpoints for unauthorized users (PR #310 on cloud repo).

Profile.jsx: Removed Role field that displayed sessionDetails.user_role (interceptable). Removed useSessionStore dependency.

Can this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)

  • OSS: No impact. Admin plugins (Roles, Resources, Permissions, SubscriptionAdmin) don't exist in OSS — try/require fails, components are undefined, routes and menu items don't render. Same behavior as before.
  • Cloud: Admin menu items and routes now always exist when plugins are loaded. Access control moves from client-side (interceptable) to server-side (backend 403). Combined with cloud PR #310 which redirects on 403, unauthorized users see nothing.

Database Migrations

None

Env Config

None

Related Issues or PRs

Notes on Testing

  1. OSS: Settings menu should only show Profile, no admin items — same as before
  2. Cloud (admin): All admin pages load normally

Checklist

  • I have read and understood the Contribution Guidelines.
  • MenuTree.jsx: userRole check removed
  • route-component.jsx: sessionDetails.user_role check removed
  • Profile.jsx: Role field removed, sessionStore dependency removed
  • OSS verified: no impact (plugins don't exist)

@wicky-zipstack
fix: remove client-side role checks to prevent privilege escalation v…
cd18ce0 
…ia session interception

- Profile.jsx: remove Role field display that showed intercepted role from session store
@wicky-zipstack
fix: remove visitran_super_admin shortcut in checkPermission — root c…
a5be905 
…ause of privilege escalation

The checkPermission() function in helpers.js had a shortcut that returned true
for all permission checks if user_role === "visitran_super_admin". Since
user_role is read from localStorage (editable by user), this allowed any user
to bypass all frontend permission checks by modifying their session data.

Now always uses server-returned permissions from permissionDetails store.
@wicky-zipstack wicky-zipstack deleted the fix/remove-client-role-checks branch March 26, 2026 12:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wicky-zipstack