I can delete Root folder even if I don't have permissions.

Question

I can delete Root folder even if I don't have permissions.

nykroy opened this issue 2 months ago · 2 comments

Steps to reproduce

Select folder
Delete folder
I click on the message that indicates if I want to confirm the deletion.
4.While it is loading, I click again on the message that indicates if I want to confirm the deletion.

It seems that the second time I confirm the message, it sends the deletion data, losing the folder ID, so it interprets it as 0 (which is the root folder)

Server configuration

Operating system: Debian

Web server:

Database:

PHP version:

Teampass version: 3.1.2

Teampass configuration file:

Updated from an older Teampass or fresh install: yes

Client configuration

Browser: Edge

Operating system: Windows

Answer 1 · 2024-07-25T07:42:23.000Z

I reproduce. On the js side everything seems correct (I clicked 4 times), however everything is deleted:

User items view:

Admin folders view:

Database:

Answer 2 · 2024-07-25T08:16:37.000Z

NestedTree->getDescendants() documentation:

     * @param int  $folder_id    The ID of the node to fetch descendant data for.
     *                           Specify an invalid ID (e.g. 0) to retrieve all data.

There are two problems:

We should not be able to delete the root folder.
Permissions must be checked for each deleted folder or item.