# Vulnerability Summary: IDOR Vulnerability in WorkspaceInvitationsController ## Vulnerability Overview - **Title**: Security: Cross-Workspace Invitation Deletion IDOR in WorkspaceInvitationsController #337 - **Type**: IDOR (Insecure Direct Object Reference), CWE-639 - **Status**: Open - **Reporter**: lighthousekeeper1212 - **Date**: Feb 26 ## Impact Scope - **Affected File**: `app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php`, lines 42–47 - **Vulnerable Method**: `destroy()` - **Issue Description**: - Any workspace owner can delete invitations belonging to other workspaces. - The route middleware `OwnsCurrentWorkspace` only verifies that the user owns the current workspace but does not verify whether the `$invitation` parameter belongs to that workspace. - Laravel's route model binding resolves invitations for arbitrary IDs without performing ownership validation. - Although the invitations table has a `workspace_id` foreign key, it is never validated within the `destroy()` method. ## Remediation - **Recommended Fix Code**: ```php public function destroy(Invitation $invitation): RedirectResponse { abort_unless( $invitation->workspace_id === auth()->user()->currentWorkspace()->id, 404 ); $invitation->delete(); return redirect()->route('users.index'); } ``` - **Explanation**: Add a comparison between `$invitation->workspace_id` and the ID of the current user's workspace before deletion to ensure that only invitations within the user's own workspace can be deleted. ## Additional Information - **Disclosure Note**: Discovered during security research; the author is willing to provide additional details. - **Security Mode Comparison**: The `store()` method in the same controller correctly restricts scope via `$request->user()->currentWorkspace()` and can serve as a reference.