Summary
The checkCompanyAndWorkspaceForUser middleware in channels routes only validates UUID format, not actual workspace membership. A user from Company A can access public channels in ANY workspace within the company, even ones they don't belong to. Messages and files routes also lack company-level access control.
Details
Root Cause
File: twake/backend/node/src/services/channels/web/middleware.ts (lines 4-12)
export function checkCompanyAndWorkspaceForUser(
companyId: string,
workspaceId: string,
): Promise<boolean> {
return Promise.resolve(
validateUuid(companyId) &&
(validateUuid(workspaceId) || workspaceId === ChannelVisibility.DIRECT),
);
}
This only validates UUID format, never checks workspace membership.
Secure Comparison
Workspace routes correctly validate membership (twake/backend/node/src/services/workspaces/web/routes.ts lines 55-67):
const companyCheck = async (request) => {
await checkUserBelongsToCompany(request.currentUser.id, request.params.company_id);
};
Additional Missing Checks
- Messages/threads routes (
services/messages/web/routes.ts): Only fastify.authenticate, no company/workspace access control
- Files routes (
services/files/web/routes.ts): Only JWT validation, no company membership check
- Channel controller (
channels/web/controllers/channel.ts lines 81-92): Only checks membership for private/direct channels, public channels skip workspace check
Impact
A user authenticated in Company A can access public channels, messages, and files in any workspace within the company, even workspaces they haven't been invited to.
Remediation
Replace checkCompanyAndWorkspaceForUser with actual workspace membership validation, and add checkUserBelongsToCompany to messages and files routes.
Summary
The
checkCompanyAndWorkspaceForUsermiddleware in channels routes only validates UUID format, not actual workspace membership. A user from Company A can access public channels in ANY workspace within the company, even ones they don't belong to. Messages and files routes also lack company-level access control.Details
Root Cause
File:
twake/backend/node/src/services/channels/web/middleware.ts(lines 4-12)This only validates UUID format, never checks workspace membership.
Secure Comparison
Workspace routes correctly validate membership (
twake/backend/node/src/services/workspaces/web/routes.tslines 55-67):Additional Missing Checks
services/messages/web/routes.ts): Onlyfastify.authenticate, no company/workspace access controlservices/files/web/routes.ts): Only JWT validation, no company membership checkchannels/web/controllers/channel.tslines 81-92): Only checks membership for private/direct channels, public channels skip workspace checkImpact
A user authenticated in Company A can access public channels, messages, and files in any workspace within the company, even workspaces they haven't been invited to.
Remediation
Replace
checkCompanyAndWorkspaceForUserwith actual workspace membership validation, and addcheckUserBelongsToCompanyto messages and files routes.