IDOR/BOLA in AffiliateRequestsController#approve allows unauthenticated approval #10
Description
An unauthenticated user can approve any pending affiliate request by sending a GET request to /affiliate_requests/:id/approve with a valid external_id. The set_affiliate_request before_action fetches the AffiliateRequest object based on the user-supplied ID without checking if the user is authorized to approve it. The approve action is excluded from the authenticate_user! before_action and the can_perform_action? check only verifies the state of the request, not the user's permissions.
File: app/controllers/affiliate_requests_controller.rb
Route: GET /affiliate_requests/:id/approve
Vulnerable Code:
before_action :set_affiliate_request, only: %i[approve ignore](line 12)set_affiliate_requestmethod (lines 111-113) usesAffiliateRequest.find_by_external_id!(params[:id])approveaction (lines 63-74) callsperform_action_if_permittedwhich checks state but not user authorization.approveis inPUBLIC_ACTIONS(line 6), bypassing authentication.
Impact: Allows unauthenticated attackers to approve any pending affiliate request if they know or can guess the external_id.
Reproduction Steps:
- Obtain the
external_idof a pending affiliate request. - Send a GET request to
/affiliate_requests/:id/approvewith the obtained ID. - The request is approved without authentication or authorization check.
Recommendation: Implement proper authorization in the approve action to ensure only the legitimate seller associated with the affiliate request can approve it. This should likely involve checking current_user and scoping the AffiliateRequest lookup under the seller, e.g., current_user.affiliate_requests.find_by_external_id!(params[:id]) or using a proper authorization library like Pundit or Cancancan.