From ff59187623408609ed72b3ce91a2fdfd19866251 Mon Sep 17 00:00:00 2001 From: Abhishek Khaparde Date: Wed, 22 Apr 2026 15:48:49 +0530 Subject: [PATCH 1/2] security: enforce user ownership on global tasks --- source/app/blueprints/rest/dashboard_routes.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source/app/blueprints/rest/dashboard_routes.py b/source/app/blueprints/rest/dashboard_routes.py index 3f2ec2acb..b55ff5bfa 100644 --- a/source/app/blueprints/rest/dashboard_routes.py +++ b/source/app/blueprints/rest/dashboard_routes.py @@ -242,7 +242,7 @@ def add_gtask(caseid): @ac_requires_case_identifier() def edit_gtask(cur_id, caseid): form = CaseGlobalTaskForm() - task = GlobalTasks.query.filter(GlobalTasks.id == cur_id).first() + task = GlobalTasks.query.filter(GlobalTasks.id == cur_id).filter(or_(GlobalTasks.task_userid_open == current_user.id, GlobalTasks.task_assignee_id == current_user.id)).first() form.task_assignee_id.choices = [(user.id, user.name) for user in User.query.filter( User.active == True).order_by(User.name).all()] form.task_status_id.choices = [(a.id, a.status_name) @@ -285,11 +285,11 @@ def gtask_delete(cur_id, caseid): if not cur_id: return response_error("Missing parameter") - data = GlobalTasks.query.filter(GlobalTasks.id == cur_id).first() + data = GlobalTasks.query.filter(GlobalTasks.id == cur_id).filter(or_(GlobalTasks.task_userid_open == current_user.id, GlobalTasks.task_assignee_id == current_user.id)).first() if not data: return response_error("Invalid global task ID") - GlobalTasks.query.filter(GlobalTasks.id == cur_id).delete() + GlobalTasks.query.filter(GlobalTasks.id == cur_id).filter(or_(GlobalTasks.task_userid_open == current_user.id, GlobalTasks.task_assignee_id == current_user.id)).delete() db.session.commit() call_modules_hook('on_postload_global_task_delete', From 8490c23ffe2d80b9ab7ba826367c8e200989d494 Mon Sep 17 00:00:00 2001 From: Abhishek Khaparde Date: Wed, 22 Apr 2026 15:59:18 +0530 Subject: [PATCH 2/2] fix: add missing sqlalchemy import and protect view_gtask endpoint --- source/app/blueprints/rest/dashboard_routes.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source/app/blueprints/rest/dashboard_routes.py b/source/app/blueprints/rest/dashboard_routes.py index b55ff5bfa..111f49e7f 100644 --- a/source/app/blueprints/rest/dashboard_routes.py +++ b/source/app/blueprints/rest/dashboard_routes.py @@ -17,6 +17,7 @@ # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. import marshmallow +from sqlalchemy import or_ from datetime import datetime from datetime import timedelta from oic.oauth2.exception import GrantError @@ -157,7 +158,7 @@ def get_gtasks(): @dashboard_rest_blueprint.route('/global/tasks/', methods=['GET']) @ac_api_requires() def view_gtask(cur_id): - task = get_global_task(task_id=cur_id) + task = GlobalTasks.query.filter(GlobalTasks.id == cur_id).filter(or_(GlobalTasks.task_userid_open == current_user.id, GlobalTasks.task_assignee_id == current_user.id)).first() if not task: return response_error(f'Global task ID {cur_id} not found')