Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Unbounded weekly reservation lets one student lock an instructor's whole series #35

New Issue
Closed
opened 2026-06-09 19:08:32 +00:00 by thatguygriff · 1 comment
thatguygriff commented 2026-06-09 19:08:32 +00:00
Owner
Copy Link
Copy Source

Severity: Low — abuse / availability DoS.

Problem

A single recurrence=weekly booking reserves every unbooked slot in the recurrence group with no cap (src/Booking/BookingEndpoint.php:144-149).

Impact

One student can lock up an instructor's entire recurring schedule in a single request.

Fix

Cap the number of occurrences a single weekly booking may reserve (configurable per offering, or a sane default), and/or require the offering's allow_weekly flag to be set.

**Severity: Low** — abuse / availability DoS. ## Problem A single `recurrence=weekly` booking reserves **every** unbooked slot in the recurrence group with no cap ([src/Booking/BookingEndpoint.php:144-149](src/Booking/BookingEndpoint.php#L144-L149)). ## Impact One student can lock up an instructor's entire recurring schedule in a single request. ## Fix Cap the number of occurrences a single weekly booking may reserve (configurable per offering, or a sane default), and/or require the offering's `allow_weekly` flag to be set.
thatguygriff added the security label 2026-06-09 19:08:32 +00:00
thatguygriff commented 2026-06-10 20:17:51 +00:00
Author
Owner
Copy Link
Copy Source

Verified resolved on main (061d09e, PR #38): BookingEndpoint::MAX_WEEKLY_OCCURRENCES caps a single weekly booking at 12 occurrences, so one request can no longer lock an instructor's entire recurring series. Note the optional second half of the suggested fix (enforcing the offering's allow_weekly flag at booking time) is not implemented — the cap alone addresses the lockup abuse described here; flag enforcement can be a separate enhancement if wanted. Re-confirmed during the 2026-06-10 security review pass.

Verified resolved on main (061d09e, PR #38): BookingEndpoint::MAX_WEEKLY_OCCURRENCES caps a single weekly booking at 12 occurrences, so one request can no longer lock an instructor's entire recurring series. Note the optional second half of the suggested fix (enforcing the offering's allow_weekly flag at booking time) is not implemented — the cap alone addresses the lockup abuse described here; flag enforcement can be a separate enhancement if wanted. Re-confirmed during the 2026-06-10 security review pass.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something isn't working
 enhancement
Extends an existing feature
 feature
New user-facing capability
 payments
Billing, Stripe, receipts, reporting
 security
Security vulnerability or hardening
No Label security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
thatguygriff (James Griffin-Allwood)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Unsupervised/unsupervised-scheduler#35
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?