Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Instructor can attach a slot to an offering they don't own #34

New Issue
Closed
opened 2026-06-09 19:08:30 +00:00 by thatguygriff · 1 comment
thatguygriff commented 2026-06-09 19:08:30 +00:00
Owner
Copy Link
Copy Source

Severity: Low — authorization gap; widens the surface of #31.

Problem

AvailabilityEndpoint::create() (src/Availability/AvailabilityEndpoint.php:105-115) accepts any offering_id with no check that the offering belongs to the calling instructor.

Impact

An instructor can tag their availability slot with another instructor's offering. Combined with the booking offering-substitution flaw (#31), this widens price/payment-routing manipulation.

Fix

Validate that the supplied offering_id resolves to an offering owned by get_current_user_id() (or a studio admin), else reject.

**Severity: Low** — authorization gap; widens the surface of #31. ## Problem `AvailabilityEndpoint::create()` ([src/Availability/AvailabilityEndpoint.php:105-115](src/Availability/AvailabilityEndpoint.php#L105-L115)) accepts any `offering_id` with no check that the offering belongs to the calling instructor. ## Impact An instructor can tag their availability slot with another instructor's offering. Combined with the booking offering-substitution flaw (#31), this widens price/payment-routing manipulation. ## Fix Validate that the supplied `offering_id` resolves to an offering owned by `get_current_user_id()` (or a studio admin), else reject.
thatguygriff added the security label 2026-06-09 19:08:30 +00:00
thatguygriff commented 2026-06-10 20:17:50 +00:00
Author
Owner
Copy Link
Copy Source

Verified resolved on main (061d09e, PR #38): AvailabilityEndpoint::create() now rejects any offering_id that does not resolve to an offering owned by the calling instructor (400 invalid_offering). BookingEndpoint::book() independently enforces that the offering used at booking belongs to the slot's instructor, closing the #31 combination. Re-confirmed during the 2026-06-10 security review pass.

Verified resolved on main (061d09e, PR #38): AvailabilityEndpoint::create() now rejects any offering_id that does not resolve to an offering owned by the calling instructor (400 invalid_offering). BookingEndpoint::book() independently enforces that the offering used at booking belongs to the slot's instructor, closing the #31 combination. Re-confirmed during the 2026-06-10 security review pass.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something isn't working
 enhancement
Extends an existing feature
 feature
New user-facing capability
 payments
Billing, Stripe, receipts, reporting
 security
Security vulnerability or hardening
No Label security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
thatguygriff (James Griffin-Allwood)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Unsupervised/unsupervised-scheduler#34
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?