Fitness Authorization: Eliminate Cross-User Data Access #4

New Issue

Closed

opened 2026-03-29 08:35:00 -05:00 by yusiboyz · 1 comment

yusiboyz commented 2026-03-29 08:35:00 -05:00

Owner

Copy Link

This issue covers cross-user authorization flaws in Fitness.

Problems:

• Authenticated users can pass arbitrary user_id values to read other users' entries, totals, and goals
• /api/users exposes all users to any authenticated caller
• Service still exposes broad permissive CORS

Files:

• services/fitness/server.py

Acceptance criteria:

• Normal users can only access their own entries, totals, goals, templates, and favorites
• user_id query parameters are ignored or rejected for non-admin users
• /api/users is removed or restricted to an explicit admin role
• Authorization checks are covered by tests

This issue covers cross-user authorization flaws in Fitness. Problems: - Authenticated users can pass arbitrary `user_id` values to read other users' entries, totals, and goals - `/api/users` exposes all users to any authenticated caller - Service still exposes broad permissive CORS Files: - services/fitness/server.py Acceptance criteria: - Normal users can only access their own entries, totals, goals, templates, and favorites - `user_id` query parameters are ignored or rejected for non-admin users - `/api/users` is removed or restricted to an explicit admin role - Authorization checks are covered by tests

yusiboyz added this to the Immediate milestone 2026-03-29 08:43:50 -05:00

yusiboyz referenced this issue 2026-03-29 08:43:51 -05:00

Production Security and Readiness Remediation #1

yusiboyz referenced this issue from a commit 2026-03-29 08:53:06 -05:00

fix(fitness): eliminate cross-user data access (#4)

yusiboyz closed this issue 2026-03-29 08:53:06 -05:00

yusiboyz commented 2026-03-29 08:53:16 -05:00

Author

Owner

Copy Link

Fixed in commit fb79f15

Changes (services/fitness/server.py):

• 5 GET endpoints: user_id param replaced with authenticated user ID
• 1 PUT endpoint (goals): user_id param replaced with authenticated user ID
• /api/users: now returns only current user, not all users
• Wildcard CORS (Access-Control-Allow-Origin: *) removed from all 3 locations

Verified:

• Fitness entries/totals/goals all return data for authenticated user only
• /api/users returns single-element array with current user
• No cross-user data leakage possible

Remaining risk: none for this issue scope.

**Fixed in commit fb79f15** Changes (services/fitness/server.py): - 5 GET endpoints: user_id param replaced with authenticated user ID - 1 PUT endpoint (goals): user_id param replaced with authenticated user ID - /api/users: now returns only current user, not all users - Wildcard CORS (Access-Control-Allow-Origin: *) removed from all 3 locations Verified: - Fitness entries/totals/goals all return data for authenticated user only - /api/users returns single-element array with current user - No cross-user data leakage possible Remaining risk: none for this issue scope.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

No results found.

Labels

Clear labels

auth

critical

dependencies

high

immediate

medium

next

ops

performance

security

No Label

Milestone

No items

No Milestone Immediate

Projects

Clear projects

No project

Assignees

Clear assignees

yusiboyz

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: yusiboyz/platform#4