Forums Bug Reports Thread

API revision approve has no pending-status precondition and no self-approval guard

Patrick Bass · Jun 6 · 20 · 1 Locked
[Minor] [Normal Priority] [Bug Fixed] [Always Reproduces]
Oldest Newest Top
Patrick Bass 🚀 OP Jun 6, 2026 6:11pm

Area: mobieusKnow (audit p6) · Surface: POST /api/v1/know/revisions/{id}/approve (KnowledgeApiController@revisionsApprove) · Dimension: security · Severity: minor

OWASP A04:2021 Insecure Design. The API can re-'approve' an already-rejected or already-approved revision (resurrecting rejected content and re-pointing current_revision_id at it), and lets an author rubber-stamp their own edit. The web moderation flow explicitly prevents both.

Evidence

revisionsApprove (KnowledgeApiController.php:196-210) fetches the revision then unconditionally `UPDATE knowledge_revisions SET status = "approved", reviewed_by = :r ...` with no check that the current status is 'pending' and no check that the reviewer (key creator) differs from the author. The web path guards both: KnowledgeController::approveRevision (393-396) `if (!$rev || $rev['status'] !== 'pending')` and KnowledgeRevision::approve (KnowledgeRevision.php:73) selects `WHERE id = :id AND status = 'pending'`. notifyContributor (KnowledgeController.php:447) also skips self-approval; the API has no equivalent.

Suggested fix. Require status='pending' before approving (`WHERE id=:id AND status='pending'`), and enforce reviewer != author unless the key explicitly carries a moderator/elevated scope.

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.

Patrick Bass
@mobieus

Patrick Bass 🚀 Jun 7, 2026 5:38am

Resolved — fixed and deployed. Commit 89b2334003a7, shipped dev-first then to all tenants on 2026-06-06.

In revisionsApprove(): added a status='pending' precheck (400 not_pending), guarded the UPDATE with AND status="pending" + affected-rows check to close the read/write race, and blocked self-approval for non-admin moderators (role<4 reviewer == author) while still allowing role>=4 elevated keys to self-approve.

Status: fixed. Thread closed and locked.

Patrick Bass
@mobieus

Related Discussions

Revision history page leaks pending/rejected revisions and moderator reject reasons to anonymous users
Bug Reports · 1 replies · 10 views
Anyone (incl. anonymous) can read pending/rejected wiki revision bodies via /know/{slug}/history/{id}
Bug Reports · 1 replies · 12 views
SSRF guard missing on connectToken premium branch and /bbs/{slug}/connect while the community branch enforces it
Bug Reports · 1 replies · 10 views
API know:write key can approve/reject/delete/edit any wiki content, bypassing the moderator trust model
Bug Reports · 1 replies · 15 views
Paid-access forums with per-forum Stripe billing and approval workflow
Feature Requests · 1 replies · 26 views

Log in or register to reply to this thread.