Skip to content

Fix milestone ownership checks#105

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-a88a
Draft

Fix milestone ownership checks#105
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-a88a

Conversation

@cursor

@cursor cursor Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bug and impact

Authenticated users could PATCH or DELETE any project milestone if they knew or guessed its milestone id. The new milestone route ignored the route project id and owner when calling the mutation helpers, creating an IDOR that could corrupt or delete another user's project progress.

Root cause

app/api/projects/[id]/milestones/[milestoneId]/route.ts passed only milestoneId into toggleMilestone/deleteMilestone, and those helpers updated/deleted project_milestones by id alone.

Fix

  • Require projectId and authenticated userId in milestone mutation helpers.
  • Scope UPDATE/DELETE through projects so milestone id, route project id, and projects.user_id must all match.
  • Return 404 when a scoped delete affects no row.

Validation

  • pnpm exec tsc --noEmit
  • pnpm exec eslint app/api/projects/[id]/milestones/[milestoneId]/route.ts lib/queries.ts (passes with only the pre-existing lib/queries.ts unused allowed warning)
  • Mocked SQL harness executed toggleMilestone and deleteMilestone and asserted the generated queries bind milestone id, project id, and user id with the project ownership join.
Open in Web View Automation 

Co-authored-by: Cole Collins <DealPatrol@users.noreply.github.com>
@vercel

vercel Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
repo-app-architect Ready Ready Preview, Comment Jun 23, 2026 11:15am
repofuse Ready Ready Preview, Comment, Open in v0 Jun 23, 2026 11:15am
v0-repo-app-architect Ready Ready Preview, Comment, Open in v0 Jun 23, 2026 11:15am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant