Able to view all PM's even when not authenticated

[Wild1145]

If User A starts a conversation with User B (Conversation ID 1 in this case) any other user or unauthenticated user can access the full conversation history via the API, along with sensitive information that would usually only be accessible to admins.

This is achieved through the API for example https://mydomain.com/api/whisper/messages/1

[clarkwinkelmann]

I can confirm the issue. Guests can read all messages through the REST API.

The problem is on line 40 of ListMessagesController. ->get() will return a Collection instance, which will always evaluate as true. it can be replaced by many options, best is probably ->exists() but could also be ->count() or ->first().

whisper/src/Api/Controllers/ListMessagesController.php

Line 40 in af7dbb9

if (!$conversation->recipients()->where('user_id', $actor->id)->get()) {

---

@KyrneDev while you take a look at access control, I see in https://github.com/KyrneDev/whisper/blob/master/src/Commands/ReadMessageHandler.php you never validate if messageId actually belongs to conversationId, so it seems like you could pass a message ID from a different conversation and set a read number higher than supposed. There doesn't seem to be any serious security issue though because nothing about messageId is returned to the client (except for the ID existence), and no attributes are updated on the message either. It seems to just be used to retrieve the number. Potentially by reading the websocket and sending REST API requests for every possible post ID, you might be able to guess how many different discussions are happening on the forum at any given time.