Skip to content

Bug: enforce RBAC on analysis saved-query endpoints #709

New issue
New issue
Closed
#710
Closed
Bug: enforce RBAC on analysis saved-query endpoints#709
#710
Labels
bugSomething isn't workingin-progressWork currently in progress
@cct08311github

Description

@cct08311github
cct08311github
opened on Mar 21, 2026

Summary

Recent analysis saved-query endpoints bypass VM role checks.

Evidence

  • Commit ebbb515469ade20dfaa1ea29121ffd5d156876f5 (merge of PR feat(analysis): Analysis Mode Saved Queries CRUD #684) introduced saved-query CRUD paths.
  • In src/WalkingTec.Mvvm.Mvc/_AnalysisController.cs, methods ListSavedQueries, SaveQuery, and GetSavedQuery did not enforce CheckAccess(vmType).
  • Secure analysis query paths already enforce RBAC in TryPrepareContext.

Risk

Users without required AllowedRoles can list/save/load saved queries for restricted VM types (including public saved queries).

Proposed minimal fix

  • Add Resolve + CheckAccess in ListSavedQueries and SaveQuery.
  • In GetSavedQuery, deserialize config then Resolve + CheckAccess before returning config.
  • Add regression tests for 403 behavior on restricted VM.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingin-progressWork currently in progress

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions