fix(security): tier-0 audit blockers (next CVE, role gate, perm traps, key validation, rate limits)
Closes the five highest-risk findings from docs/audit-comprehensive-2026-05-05.md so the platform is not exposed while the rest of the audit backlog (1 CRIT + 18 HIGH + 32 MED + 23 LOW) is worked through: * CVE-2025-29927 — bump next 15.1.0 → 15.2.9; nginx strips X-Middleware-Subrequest at the edge as defense-in-depth. * Cross-tenant role escalation — POST/PATCH/DELETE on /admin/roles now require super-admin (was: any holder of admin.manage_users). Adds shared `requireSuperAdmin(ctx)` helper. * Silent-403 traps — `documents.edit` and `files.edit` keys added to RolePermissions; seeded role values updated; migration 0041 backfills the new keys on every existing roles+port_role_overrides JSONB. File routes remap the dead `create` action to `upload` / `manage_folders`. * Berth-PDF / brochure register endpoints — reject body.storageKey unless it matches the namespace the matching presign endpoint issued (prevents repointing a tenant's PDF at foreign-port bytes). * Portal auth rate limits — sign-in 5/15min/(ip,email), forgot-password 3/hr/IP, activate/reset/set-password 10/hr/IP. Adds `enforcePublicRateLimit()` for non-`withAuth` routes. Test status unchanged: 1168/1168 vitest, tsc clean. Refs: docs/audit-comprehensive-2026-05-05.md (CRITICAL, HIGH §§1–4) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt Ciaccio
58
src/lib/db/migrations/0041_role_permissions_edit_keys.sql
Normal file
58
src/lib/db/migrations/0041_role_permissions_edit_keys.sql
Normal file
@@ -0,0 +1,58 @@
|
||||
-- Backfill the new `documents.edit` and `files.edit` permission keys on
|
||||
-- every existing row in `roles.permissions`. The schema (RolePermissions
|
||||
-- in src/lib/db/schema/users.ts) added these keys to close the silent-403
|
||||
-- traps on PATCH /api/v1/documents/[id], /cancel, /remind, /watchers, and
|
||||
-- PATCH /api/v1/files/[id] — each used a permission key that did not exist
|
||||
-- in the schema, so withPermission()'s `resourcePerms[action]` returned
|
||||
-- undefined and 403'd every non-superadmin call.
|
||||
--
|
||||
-- Backfill rule:
|
||||
-- documents.edit ← documents.create (anyone who can create can edit)
|
||||
-- files.edit ← files.upload (same rationale)
|
||||
--
|
||||
-- jsonb_set with create_missing=true (the default) inserts the key only
|
||||
-- when it's absent, so re-runs are idempotent and the migration is safe
|
||||
-- against a partial run.
|
||||
|
||||
UPDATE roles
|
||||
SET permissions = jsonb_set(
|
||||
permissions,
|
||||
'{documents,edit}',
|
||||
COALESCE(permissions->'documents'->'create', 'false'::jsonb),
|
||||
true
|
||||
)
|
||||
WHERE permissions->'documents' IS NOT NULL
|
||||
AND NOT (permissions->'documents' ? 'edit');
|
||||
|
||||
UPDATE roles
|
||||
SET permissions = jsonb_set(
|
||||
permissions,
|
||||
'{files,edit}',
|
||||
COALESCE(permissions->'files'->'upload', 'false'::jsonb),
|
||||
true
|
||||
)
|
||||
WHERE permissions->'files' IS NOT NULL
|
||||
AND NOT (permissions->'files' ? 'edit');
|
||||
|
||||
-- Same backfill on per-port overrides (`port_role_overrides.permissions`)
|
||||
-- so an override that flipped a sibling permission stays consistent.
|
||||
|
||||
UPDATE port_role_overrides
|
||||
SET permissions = jsonb_set(
|
||||
permissions,
|
||||
'{documents,edit}',
|
||||
COALESCE(permissions->'documents'->'create', 'false'::jsonb),
|
||||
true
|
||||
)
|
||||
WHERE permissions->'documents' IS NOT NULL
|
||||
AND NOT (permissions->'documents' ? 'edit');
|
||||
|
||||
UPDATE port_role_overrides
|
||||
SET permissions = jsonb_set(
|
||||
permissions,
|
||||
'{files,edit}',
|
||||
COALESCE(permissions->'files'->'upload', 'false'::jsonb),
|
||||
true
|
||||
)
|
||||
WHERE permissions->'files' IS NOT NULL
|
||||
AND NOT (permissions->'files' ? 'edit');
|
||||
@@ -288,6 +288,13 @@
|
||||
"when": 1778300000000,
|
||||
"tag": "0040_error_events",
|
||||
"breakpoints": true
|
||||
},
|
||||
{
|
||||
"idx": 41,
|
||||
"version": "7",
|
||||
"when": 1778400000000,
|
||||
"tag": "0041_role_permissions_edit_keys",
|
||||
"breakpoints": true
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -30,6 +30,7 @@ export type RolePermissions = {
|
||||
documents: {
|
||||
view: boolean;
|
||||
create: boolean;
|
||||
edit: boolean;
|
||||
send_for_signing: boolean;
|
||||
upload_signed: boolean;
|
||||
delete: boolean;
|
||||
@@ -54,6 +55,7 @@ export type RolePermissions = {
|
||||
files: {
|
||||
view: boolean;
|
||||
upload: boolean;
|
||||
edit: boolean;
|
||||
delete: boolean;
|
||||
manage_folders: boolean;
|
||||
};
|
||||
|
||||
@@ -42,6 +42,7 @@ const ALL_PERMISSIONS: RolePermissions = {
|
||||
documents: {
|
||||
view: true,
|
||||
create: true,
|
||||
edit: true,
|
||||
send_for_signing: true,
|
||||
upload_signed: true,
|
||||
delete: true,
|
||||
@@ -63,7 +64,7 @@ const ALL_PERMISSIONS: RolePermissions = {
|
||||
record_payment: true,
|
||||
export: true,
|
||||
},
|
||||
files: { view: true, upload: true, delete: true, manage_folders: true },
|
||||
files: { view: true, upload: true, edit: true, delete: true, manage_folders: true },
|
||||
email: { view: true, send: true, configure_account: true },
|
||||
reminders: {
|
||||
view_own: true,
|
||||
@@ -116,6 +117,7 @@ const DIRECTOR_PERMISSIONS: RolePermissions = {
|
||||
documents: {
|
||||
view: true,
|
||||
create: true,
|
||||
edit: true,
|
||||
send_for_signing: true,
|
||||
upload_signed: true,
|
||||
delete: true,
|
||||
@@ -137,7 +139,7 @@ const DIRECTOR_PERMISSIONS: RolePermissions = {
|
||||
record_payment: true,
|
||||
export: true,
|
||||
},
|
||||
files: { view: true, upload: true, delete: true, manage_folders: true },
|
||||
files: { view: true, upload: true, edit: true, delete: true, manage_folders: true },
|
||||
email: { view: true, send: true, configure_account: true },
|
||||
reminders: {
|
||||
view_own: true,
|
||||
@@ -190,6 +192,7 @@ const SALES_MANAGER_PERMISSIONS: RolePermissions = {
|
||||
documents: {
|
||||
view: true,
|
||||
create: true,
|
||||
edit: true,
|
||||
send_for_signing: true,
|
||||
upload_signed: true,
|
||||
delete: false,
|
||||
@@ -211,7 +214,7 @@ const SALES_MANAGER_PERMISSIONS: RolePermissions = {
|
||||
record_payment: true,
|
||||
export: true,
|
||||
},
|
||||
files: { view: true, upload: true, delete: false, manage_folders: true },
|
||||
files: { view: true, upload: true, edit: true, delete: false, manage_folders: true },
|
||||
email: { view: true, send: true, configure_account: true },
|
||||
reminders: {
|
||||
view_own: true,
|
||||
@@ -264,6 +267,7 @@ const SALES_AGENT_PERMISSIONS: RolePermissions = {
|
||||
documents: {
|
||||
view: true,
|
||||
create: true,
|
||||
edit: true,
|
||||
send_for_signing: true,
|
||||
upload_signed: true,
|
||||
delete: false,
|
||||
@@ -285,7 +289,7 @@ const SALES_AGENT_PERMISSIONS: RolePermissions = {
|
||||
record_payment: true,
|
||||
export: true,
|
||||
},
|
||||
files: { view: true, upload: true, delete: false, manage_folders: false },
|
||||
files: { view: true, upload: true, edit: false, delete: false, manage_folders: false },
|
||||
email: { view: true, send: true, configure_account: true },
|
||||
reminders: {
|
||||
view_own: true,
|
||||
@@ -338,6 +342,7 @@ const VIEWER_PERMISSIONS: RolePermissions = {
|
||||
documents: {
|
||||
view: true,
|
||||
create: false,
|
||||
edit: false,
|
||||
send_for_signing: false,
|
||||
upload_signed: false,
|
||||
delete: false,
|
||||
@@ -359,7 +364,7 @@ const VIEWER_PERMISSIONS: RolePermissions = {
|
||||
record_payment: false,
|
||||
export: false,
|
||||
},
|
||||
files: { view: true, upload: false, delete: false, manage_folders: false },
|
||||
files: { view: true, upload: false, edit: false, delete: false, manage_folders: false },
|
||||
email: { view: true, send: false, configure_account: false },
|
||||
reminders: {
|
||||
view_own: true,
|
||||
|
||||
Reference in New Issue
Block a user