Forums Bug Reports Thread

API know:write key can approve/reject/delete/edit any wiki content, bypassing the moderator trust model

Patrick Bass · Jun 6 · 14 · 1 Locked
[Major] [High Priority] [Bug Fixed] [Always Reproduces]
Oldest Newest Top
Patrick Bass 🚀 OP Jun 6, 2026 6:11pm

Area: mobieusKnow (audit p6) · Surface: POST /api/v1/know/revisions/{id}/approve|reject, /api/v1/know/pages/{slug}, /pages/{slug}/delete, /pages (KnowledgeApiController) · Dimension: security · Severity: major

OWASP A01:2021 Broken Access Control. The API surface collapses the entire web-side trust/moderation model into a single coarse scope. Any key holder with know:write — not necessarily a moderator — can approve or reject arbitrary revisions, hard-bypass the review queue by publishing approved revisions directly, edit or delete any page, with no ownership or moderator gate. The web path forbids exactly these actions for non-moderators.

Evidence

Every write method gates ONLY on the know:write scope and performs no role/moderator/ownership check. KnowledgeApiController.php:196-210 revisionsApprove(): `$this->requireScope(ApiKey::SCOPE_KNOW_WRITE);` then directly `UPDATE knowledge_revisions SET status="approved"...` and points the page at it. revisionsReject (213-230), pagesDelete (159-166), pagesUpdate (123-156), pagesCreate (87-120) are identical. requireScope (V1Controller.php:31-41) only checks `in_array($scope, $key['scopes'])` — no user role lookup. By contrast the web equivalents require a moderator: KnowledgeController::approveRevision (381-406) and deletePage (538-555) enforce `if (!KnowledgeTrust::isModerator(...) && (int)$user['role'] < 4)`, and pagesCreate/pagesUpdate via the API hardcode `status => 'approved'` (lines 113, 144) skipping the pending queue that KnowledgeController::store applies to untrusted users (KnowledgeController.php:165 `$canPublish ? 'approved' : 'pending'`).

Suggested fix. Add a moderator-only check for approve/reject/delete on the API (e.g. resolve the key creator's role / a know:moderate scope) and make pagesCreate/pagesUpdate respect the same trust rule the web path uses (KnowledgeTrust::canPublishDirectly) so non-trusted authors land in 'pending', not 'approved'.

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.

Patrick Bass
@mobieus

Patrick Bass 🚀 Jun 7, 2026 5:15am

Resolved — fixed and deployed. Commit e23a8fec596a, shipped dev-first then to all tenants on 2026-06-06.

Added requireKnowModerator() gate (role>=4 or KnowledgeTrust::isModerator) to revisionsApprove/revisionsReject/pagesDelete, returning 403 insufficient_role for non-moderators. Also implemented the missing author() helper (resolves the API key creator's id + users.role) so pagesCreate/pagesUpdate's existing KnowledgeTrust::canPublishDirectly call actually works, landing non-trusted authors' revisions in 'pending' not 'approved'. php -l clean.

Status: fixed. Thread closed and locked.

Patrick Bass
@mobieus

Related Discussions

IDOR + internal-note leak + Anthropic-key abuse: any logged-in user can run AI hooks against any ticket_id (/api/help/ai/*)
Bug Reports · 1 replies · 14 views
Admin file edit form description field has no AI wand (moderator edit form does)
Bug Reports · 1 replies · 15 views
Navbar 'Know' link and all wiki breadcrumbs hardcode /know/index, which 404s if the index page is deleted or its seed fails
Bug Reports · 1 replies · 22 views
setImageAltText accepts a global role>=3 moderator instead of a forum-scoped moderator — cross-forum write
Bug Reports · 1 replies · 19 views
Broken access control: any logged-in user can read/reply/change-status/assign ANY ticket via /help/api/tickets/*
Bug Reports · 1 replies · 20 views

Log in or register to reply to this thread.