Skip to content

[Bug]: Add missing authentication to /award and /invite endpoints #878

Closed as not planned
Bug
Closed as not planned
[Bug]: Add missing authentication to /award and /invite endpoints#878
Bug
Assignees
gridheadValkyriezz
Labels
BugcleCommunity Linux Engineeringwontfixस्वातंत्र्यFedora Badges Revamp Project
Milestone
स्वातंत्र्य
@Valkyriezz

Description

@Valkyriezz
Valkyriezz
opened on Mar 28, 2026

The Bug

The /award and /invite POST endpoints in tahrir/views/badge.py are missing the @oidc.require_login decorator. Both endpoints perform write operations to the database (awarding badges and creating invitations) but do not verify the user is authenticated first.

Impact

  • /award (line 158): Calls g.tahrirdb.add_assertion() to award a badge to a user. Without authentication, g.oidc_user.person is None, which gets passed to badge.authorized(None). This is a security concern as the endpoint performs a database write.

  • /invite (line 184): Calls g.tahrirdb.add_invitation() to create a badge invitation. Without authentication, g.oidc_user.person is None, and agent.email on line 202 raises an AttributeError.

Every other write endpoint in the views layer uses @oidc.require_login:

  • admin() in views/admin.py — has @oidc.require_login
  • award_from_csv() in views/admin.py — has @oidc.require_login
  • add_tag() in views/admin.py — has @oidc.require_login
  • award() in views/badge.py — MISSING
  • invite() in views/badge.py — MISSING

Metadata

Metadata

Assignees

Labels

BugcleCommunity Linux Engineeringwontfixस्वातंत्र्यFedora Badges Revamp Project

Type

Bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions