Security: IDOR in PATCH /api/v2/users/{user_id} allows USER_CONFIG users to disable or modify other users' accounts (#705) · Issues · Crafty Controller / Crafty 4

Security: IDOR in PATCH /api/v2/users/{user_id} allows USER_CONFIG users to disable or modify other users' accounts

## Quick Information - **Operating System:** Linux - **Install Type:** Docker - **Crafty Version:** v4.10.2 ## What Happened? A user with the USER_CONFIG Crafty permission can modify any other user's account by sending a PATCH request to /api/v2/users/{user_id} with an arbitrary user ID - including accounts belonging to other admins or managers they do not own. The endpoint only checks whether the requesting user has USER_CONFIG permission, but does not verify any manager/subordinate relationship between the requesting user and the target user. This means a USER_CONFIG user can set enabled: false on any account in the system, effectively locking out other administrators. ## Expected result The endpoint should verify that the requesting user is the manager of the target user before allowing modifications. Requests targeting users outside the requester's management scope should be rejected with 403. This check already exists for the password field specifically, but is missing for all other fields including enabled. ## Steps to reproduce 1. Authenticate as a non-superuser with USER_CONFIG permission and obtain a Bearer token. `curl -k -X POST https://localhost:8443/api/v2/auth/login \ ` `-H "Content-Type: application/json" \ ` `-d '{"username":"attacker","password":"attackerpassword"}'` 2. Retrieve the target user's ID via GET /api/v2/users. `curl -k https://localhost:8443/api/v2/users \` `-H "Authorization: Bearer TOKEN"` 3. Send PATCH /api/v2/users/{victim_user_id} with body {"enabled": false}. `curl -k -X PATCH https://localhost:8443/api/v2/users/VICTIM_USER_ID \` `-H "Authorization: Bearer TOKEN" \` `-H "Content-Type: application/json" \` `-d '{"enabled": false}'` 4. The target account is disabled regardless of the victim's role or permission level. ## Screenshots ![get_token.png](/uploads/59a390fdd2b37ad1129a6e9b132890a4/get_token.png){width=847 height=78} ![list_users.png](/uploads/4653008ae614fb4ddc25ff1ce48b9de1/list_users.png){width=851 height=90} ![block_account.png](/uploads/d9da31381321c993fa69009a1f528aeb/block_account.png){width=846 height=89} ![account_blocked.png](/uploads/4f790a2326dbfe227d4286ab107d1aee/account_blocked.png){width=857 height=426} ## Priority/Severity - [x] High (anything that impacts the normal user flow or blocks app usage) - [ ] Medium (anything that negatively affects the user experience) - [ ] Low (anything else e.g., typos, missing icons/translations, layout/formatting issues, etc.)

issue