fix(security): prevent cross-vendor product-attribute editing via REST (IDOR)#3292
fix(security): prevent cross-vendor product-attribute editing via REST (IDOR)#3292MdAsifHossainNadim wants to merge 1 commit into
Conversation
…t-default routes (IDOR) The dokan/v1 products/attributes/edit-product/<id> and /set-default/<id> routes guarded only on the generic dokan_edit_product capability, so any authenticated vendor could modify another vendor's product attributes by passing a foreign product id. The permission check now verifies product ownership via dokan_is_product_author(); admins and shop managers (manage_woocommerce) are exempt. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
📝 WalkthroughWalkthrough
ChangesProduct Attribute REST Authorization
Estimated code review effort🎯 2 (Simple) | ⏱️ ~5 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
All Submissions:
Changes proposed in this Pull Request:
Fixes a cross-vendor IDOR on the product-attribute edit / set-default REST routes: any authenticated vendor could modify the attributes of any other vendor's product.
What's the actual issue?
The custom routes
POST /wp-json/dokan/v1/products/attributes/edit-product/<id>andPOST /wp-json/dokan/v1/products/attributes/set-default/<id>(where
<id>is a product id) are both guarded byupdate_product_attribute_permissions_check(), which returned only:dokan_edit_productis a primitive capability every vendor holds, and the check never looks at the product in the URL. So a vendor could pass another vendor's product id and overwrite that product's attributes / default attributes — the callbacks (update_product_attribute,update_product_default_attribute) load the product purely from the request id with no ownership check.How we fixed it —
includes/REST/ProductAttributeController.phpGate the permission check on product ownership, exactly like the rest of Dokan (admins / shop managers exempt):
dokan_is_product_author()is Dokan's canonical "current user owns this product" primitive (vendor-staff aware). Both routes share this one permission callback, so both are fixed.How to test
200— Vendor B's product attributes are modified.403 dokan_rest_cannot_edit— request rejected. Same for/set-default/<id>.Test result: ✅ Verified on a live install. As a non-admin vendor: requests to the vendor's own product id returned
200(edit + set-default still work), while the same requests to another vendor's product id returned403 dokan_rest_cannot_edit. Admins/shop managers are unaffected.Related Pull Request(s)
Closes
Changelog entry
Fix — Cross-vendor product-attribute editing via REST
The product-attribute edit / set-default REST routes only checked a generic capability, so a vendor could edit another vendor's product attributes by passing a foreign product id. The permission check now verifies product ownership (admins and shop managers are exempt).