fix(security): rollbackImport — require importer or admin

rubenvdlinde · rubenvdlinde · commit 45bbf8601086 · 2026-05-07T10:01:08.000+02:00
`POST /api/registers/import/rollback` was `@NoAdminRequired` and the only safety net was that the downstream `deleteObject` runs RBAC. With broad delete rights any user could rollback a different user's import (or a different tenant's, since the audit lookup never filters by org) just by guessing/learning the job UUID. Look up the first audit row for the supplied `importJobId`, verify the caller is either the original importer (`auditRow->getUser()` matches the current UID) or in the admin group; reject otherwise. 404 when no audit rows match the job UUID at all. Refs: #1419 review (blocker 4) — discussion_r3187494430
diff --git a/lib/Controller/RegistersController.php b/lib/Controller/RegistersController.php
@@ -1264,6 +1264,43 @@ public function rollbackImport(): JSONResponse
             );
         }
 
+        $user = $this->userSession->getUser();
+        if ($user === null) {
+            return new JSONResponse(
+                data: ['error' => 'Authentication required'],
+                statusCode: 401
+            );
+        }
+
+        // SECURITY: rollback wipes every object created by an import job.
+        // The only safety net was that `deleteObject` runs RBAC, which is
+        // much weaker than it sounds — any user with broad delete rights
+        // on the affected schemas could otherwise wipe a *different*
+        // user's import (and across tenants, since the audit lookup
+        // doesn't filter by organisation). Require the caller to be
+        // either the original importer or a member of the admin group.
+        $isAdmin     = $this->groupManager->isAdmin($user->getUID());
+        $auditSample = $this->auditTrailMapper->findByImportJobId(
+            importJobId: $importJobId,
+            action: 'create'
+        );
+        if (count($auditSample) === 0) {
+            return new JSONResponse(
+                data: ['error' => 'Import job not found', 'importJobId' => $importJobId],
+                statusCode: 404
+            );
+        }
+
+        $importerUid = method_exists($auditSample[0], 'getUser') === true
+            ? $auditSample[0]->getUser()
+            : null;
+        if ($isAdmin === false && $importerUid !== $user->getUID()) {
+            return new JSONResponse(
+                data: ['error' => 'Forbidden: only the user who initiated the import or an admin may roll it back'],
+                statusCode: 403
+            );
+        }
+
         try {
             $report = $this->importService->softDeleteByImportJobId(importJobId: $importJobId);
             return new JSONResponse(data: $report, statusCode: 200);
