Skip to content

Service admin/manager check grants access to any membership holder regardless of role #2339

Open
Bug
Open
Service admin/manager check grants access to any membership holder regardless of role#2339
Bug
@logan-life

Description

@logan-life
logan-life
opened on Apr 9, 2026

Description

As User A with service_admin or platform_admin permissions and with User B as a service admin or service manager for arbitrary service, call PUT service_memberships with service_id, User B.id, and role = arbitrary text(e.g. "banana")

SBS accepts this new role "banana" without complaint ❌
User B can perform actions that should be restricted to only users with role admin and/or manager

see the below function which only checks for existence of any role, and roles are just arbitrary strings of text with no validation

def is_service_admin_or_manager(service_id=None):
    user_id = current_user_id()
    query = ServiceMembership.query \
        .options(load_only(ServiceMembership.user_id)) \
        .filter(ServiceMembership.user_id == user_id)
    if service_id:
        query = query.filter(ServiceMembership.service_id == service_id)
    return query.count() > 0

ServiceMembership.role = db.Column("role", db.String(length=255), nullable=False)

export function updateServiceMembershipRole(serviceId, userId, role) {
    return postPutJson("/api/service_memberships", {
        serviceId: serviceId,
        userId: userId,
        role: role
    }, "put")
}

@service_membership_api.route("/", methods=["PUT"], strict_slashes=False)
@json_endpoint
def update_service_membership_role():
    client_data = current_request.get_json()
    service_id = client_data["serviceId"]
    user_id = client_data["userId"]
    role = client_data["role"]

    confirm_service_admin(service_id)

    service_membership = ServiceMembership.query \
        .filter(ServiceMembership.service_id == service_id) \
        .filter(ServiceMembership.user_id == user_id) \
        .one()
    service_membership.role = role

    emit_socket(f"service_{service_id}", include_current_user_id=True)

    db.session.merge(service_membership)
    return service_membership, 201```


### Severity

None

### Steps to Reproduce

_No response_

### Expected Behavior

_No response_

### Actual Behavior

_No response_

### Screenshots or Logs

_No response_

### Environment

_No response_

### Additional Context

_No response_

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Bug

    Projects

    Sprint Board

    Status

    To be refined

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions