Skip to content

fix(security): re-check run ownership when batch resetting group passwords#325

Open
Isaries wants to merge 1 commit into
WISE-Community:developfrom
Isaries:fix/batch-password-ownership
Open

fix(security): re-check run ownership when batch resetting group passwords#325
Isaries wants to merge 1 commit into
WISE-Community:developfrom
Isaries:fix/batch-password-ownership

Conversation

@Isaries

@Isaries Isaries commented Jul 6, 2026

Copy link
Copy Markdown

Summary

When a teacher batch reset the passwords of a group of students, the submitted group id was not checked against a run the teacher owns. A teacher could therefore reset the passwords of another teacher's students by submitting a group id that belongs to a run they do not own. This re-checks ownership before changing any passwords.

Changes

  • Carry the run id through the form.
  • Before changing passwords, verify that the signed-in teacher can manage the run and that the group is one of that run's periods. The check is done again on submit, so it holds even if the run id or group id is tampered with in the request.

Testing

  • Builds on JDK 17 (mvnw package).

…words

The batch student password reset only verified that the teacher owned the
run when loading the form. The submit handler read the group id from the
session-bound form object, which request parameters can override, and
reset every member's password without re-checking ownership, letting a
teacher reset another teacher's students' passwords via a different group
id.

Carry the run id through the form and, before resetting any passwords,
verify the teacher owns the run and that the group is one of that run's
periods.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant