fix: require admin access to list link shares

Previously, any user with read access to a project could list all link shares including their hashes via GET /projects/{id}/shares. This allowed read-only collaborators to obtain write or admin link share hashes and escalate their privileges. Now ReadAll requires admin access to the project.
2026-05-08 04:48:27 -05:00 · 2026-03-23 21:18:23 +01:00
parent 6d5d3e051f
commit 5cd5dc409b
2 changed files with 27 additions and 1 deletions
--- a/pkg/models/link_sharing.go
+++ b/pkg/models/link_sharing.go
@@ -236,7 +236,7 @@ func (share *LinkSharing) ReadAll(s *xorm.Session, a web.Auth, search string, pa
 	}

 	project := &Project{ID: share.ProjectID}
-	can, _, err := project.CanRead(s, a)
+	can, err := project.IsAdmin(s, a)
 	if err != nil {
 		return nil, 0, 0, err
 	}
--- a/pkg/models/link_sharing_test.go
+++ b/pkg/models/link_sharing_test.go
@@ -123,6 +123,32 @@ func TestLinkSharing_ReadAll(t *testing.T) {
 		assert.Len(t, shares, 1)
 		assert.Equal(t, int64(4), shares[0].ID)
 	})
+	t.Run("should forbid read-only users from listing link shares", func(t *testing.T) {
+		db.LoadAndAssertFixtures(t)
+		s := db.NewSession()
+		defer s.Close()
+
+		// User 1 has only read access to project 3
+		share := &LinkSharing{
+			ProjectID: 3,
+		}
+		_, _, _, err := share.ReadAll(s, doer, "", 1, -1)
+		require.Error(t, err)
+		assert.True(t, IsErrGenericForbidden(err))
+	})
+	t.Run("should forbid write users from listing link shares", func(t *testing.T) {
+		db.LoadAndAssertFixtures(t)
+		s := db.NewSession()
+		defer s.Close()
+
+		// User 1 has write access to project 10
+		share := &LinkSharing{
+			ProjectID: 10,
+		}
+		_, _, _, err := share.ReadAll(s, doer, "", 1, -1)
+		require.Error(t, err)
+		assert.True(t, IsErrGenericForbidden(err))
+	})
 }

 func TestLinkSharing_ReadOne(t *testing.T) {