fix: add server-side RBAC to unprotected write/delete endpoints (VAPT #1)

abhizipstack · claude · abhizipstack · commit 26dfa7e2c78c · 2026-03-27T17:43:07.000+05:30
Add @handle_permission decorator to 14 non-GET endpoints that were
missing server-side permission checks, allowing privilege escalation
via response tampering.

Connection (connectiondetails):
- delete_connection, delete_all_connections, test_connection

Environment (environmentmodels):
- test_environment

Projects (projectdetails):
- create_sample_project, set_project_schema, save_model_file
- set_model_config_and_reference, set_model_transformation
- delete_model_transformation, set_model_presentation
- validate_model_file, write_database_file, generate_formula

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/backend/backend/core/routers/connection/views.py b/backend/backend/core/routers/connection/views.py
@@ -112,6 +112,7 @@ def connection_usage(request: Request, connection_id: str) -> Response:
 
 @api_view([HTTPMethods.POST, HTTPMethods.DELETE])
 @handle_http_request
+@handle_permission
 def delete_connection(request: Request, connection_id: str) -> Response:
     con_context = ConnectionContext()
     con_context.delete_connection(connection_id=connection_id)
@@ -124,6 +125,7 @@ def delete_connection(request: Request, connection_id: str) -> Response:
 
 @api_view([HTTPMethods.DELETE])
 @handle_http_request
+@handle_permission
 def delete_all_connections(request: Request) -> Response:
     con_context = ConnectionContext()
     result = con_context.delete_all_connections()
@@ -146,6 +148,7 @@ def reveal_connection_credentials(request: Request, connection_id: str) -> Respo
 
 @api_view([HTTPMethods.POST])
 @handle_http_request
+@handle_permission
 def test_connection(request: Request) -> Response:
     con_context = ConnectionContext()
     request_data: dict[str, Union[dict[str, Any], str, None]] = request.data
diff --git a/backend/backend/core/routers/environment/views.py b/backend/backend/core/routers/environment/views.py
@@ -124,6 +124,7 @@ def environment_dependent_projects(request: Request, environment_id: str):
 
 @api_view([HTTPMethods.POST])
 @handle_http_request
+@handle_permission
 def test_environment(request: Request):
     request_data: dict[str, Any] = request.data
     datasource: str = request_data.get("datasource")
diff --git a/backend/backend/core/routers/projects/views.py b/backend/backend/core/routers/projects/views.py
@@ -169,6 +169,7 @@ def get_projects_list(request: Request) -> Response:
 
 @api_view([HTTPMethods.POST])
 @handle_http_request
+@handle_permission
 def create_sample_project(request) -> Response:
     load_project_name = request.data.get("template", "jaffleshop_final")
 
@@ -366,6 +367,7 @@ def export_model_content_csv(
 
 @api_view([HTTPMethods.POST])
 @handle_http_request
+@handle_permission
 def set_project_schema(request: Request, project_id: str) -> Response:
     app = ApplicationContext(project_id=project_id)
     schema_name = request.data.get("schema_name")
@@ -679,6 +681,7 @@ def rollback_model_file_content(
 
 @api_view([HTTPMethods.POST])
 @handle_http_request
+@handle_permission
 def save_model_file(request: Request, project_id: str, file_name: str) -> Response:
     # This method is used to save the model file inside the project
     # This API is depreciated and will be removed in next release
@@ -699,6 +702,7 @@ def save_model_file(request: Request, project_id: str, file_name: str) -> Respon
 @api_view([HTTPMethods.POST])
 @clear_cache(patterns=["model_content_{project_id}_*"])
 @handle_http_request
+@handle_permission
 def set_model_config_and_reference(
     request: Request, project_id: str, file_name: str
 ) -> Response:
@@ -765,6 +769,7 @@ def set_model_config_and_reference(
 @api_view([HTTPMethods.POST])
 @clear_cache(patterns=["model_content_{project_id}_*"])
 @handle_http_request
+@handle_permission
 def set_model_transformation(
     request: Request, project_id: str, file_name: str
 ) -> Response:
@@ -782,6 +787,7 @@ def set_model_transformation(
 @api_view([HTTPMethods.DELETE])
 @clear_cache(patterns=["model_content_{project_id}_*"])
 @handle_http_request
+@handle_permission
 def delete_model_transformation(
     request: Request, project_id: str, file_name: str
 ) -> Response:
@@ -803,6 +809,7 @@ def delete_model_transformation(
 @api_view([HTTPMethods.POST])
 @clear_cache(patterns=["model_content_{project_id}_*"])
 @handle_http_request
+@handle_permission
 def set_model_presentation(
     request: Request, project_id: str, file_name: str
 ) -> Response:
@@ -840,6 +847,7 @@ def get_transformation_columns(
 
 @api_view([HTTPMethods.POST])
 @handle_http_request
+@handle_permission
 def validate_model_file(request: Request, project_id: str, file_name: str) -> Response:
     # This method is used to validate the model file inside the project
     request_data = request.data
@@ -852,6 +860,7 @@ def validate_model_file(request: Request, project_id: str, file_name: str) -> Re
 
 @api_view([HTTPMethods.POST])
 @handle_http_request
+@handle_permission
 def write_database_file(request: Request, project_id: str) -> Response:
     # By default, the files will be uploaded in seeds path as of now
     # request_data = request.data
@@ -864,6 +873,7 @@ def write_database_file(request: Request, project_id: str) -> Response:
 
 @api_view([HTTPMethods.POST])
 @handle_http_request
+@handle_permission
 def generate_formula(request: Request, project_id: str, model_name: str) -> Response:
     # Generate Excel Formula based on the User prompt with OpenAi support
     user_prompt = request.data["user_prompt"]
