LotusGuild/tinker_tickets
3
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

Return 404 (not 403) for inaccessible tickets in TicketController

Browse Source 
Returning 403 Forbidden leaks the existence of tickets to users who
should not know about them. Use 404 Not Found consistently across all
access-controlled endpoints to prevent enumeration.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jared Vititoe
2026-03-20 21:47:28 -04:00
parent a403e49537
commit e7d01ef576
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
controllers/TicketController.php
View File

@@ -42,10 +42,10 @@ class TicketController {
return; return;
} }
// Check visibility access // Check visibility access — return 404 rather than 403 to avoid leaking ticket existence
if (!$this->ticketModel->canUserAccessTicket($ticket, $currentUser)) { if (!$this->ticketModel->canUserAccessTicket($ticket, $currentUser)) {
header("HTTP/1.0 403 Forbidden"); header("HTTP/1.0 404 Not Found");
echo "Access denied: You do not have permission to view this ticket"; echo "Ticket not found";
return; return;
} }