You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bug Report
I attempted to use the “bug report” issue template, but it appears no longer functional—hence, I’m submitting this as a feature request even though it describes a bug.
Description
When adding a custom filter (e.g., AllowedFilter::custom('search', new SearchAssetFilter())) using Laravel Query Builder, the filter’s orWhere clauses seem to be placed at the same level as the initial .where('company_id', ...) constraints. This allows results that should remain scoped (by company_id and available) to leak into the query result if they match the orWhere condition.
Steps to Reproduce
Define a query with initial constraints:
Make a request passing a search parameter that matches some other company’s assets (not owned by the current user’s company).
Expected Behavior
The search filter should be applied as a sub-condition that does not override the existing scope, ensuring only records where company_id = Auth::user()->managing_company_id and available = true are returned.
Actual Behavior
The orWhere clauses from the search filter are combined at the same level as the initial where('company_id', ...) constraints, effectively allowing records from other companies (where the search term matches) to appear in the results.
Additional Context
Because orWhere is on the same level, specifying a matching search term can bypass the initial company_id constraint.
This behavior results in data leakage and poses a security risk.
Please let me know if you need any additional information or if there are any suggested workarounds. Thank you!
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Bug Report
I attempted to use the “bug report” issue template, but it appears no longer functional—hence, I’m submitting this as a feature request even though it describes a bug.
Description
When adding a custom filter (e.g., AllowedFilter::custom('search', new SearchAssetFilter())) using Laravel Query Builder, the filter’s orWhere clauses seem to be placed at the same level as the initial .where('company_id', ...) constraints. This allows results that should remain scoped (by company_id and available) to leak into the query result if they match the orWhere condition.
Steps to Reproduce
Define a query with initial constraints:
Create a custom filter that adds orWhere clauses:
Make a request passing a search parameter that matches some other company’s assets (not owned by the current user’s company).
Expected Behavior
The search filter should be applied as a sub-condition that does not override the existing scope, ensuring only records where company_id = Auth::user()->managing_company_id and available = true are returned.
Actual Behavior
The orWhere clauses from the search filter are combined at the same level as the initial where('company_id', ...) constraints, effectively allowing records from other companies (where the search term matches) to appear in the results.
Additional Context
Because orWhere is on the same level, specifying a matching search term can bypass the initial company_id constraint.
This behavior results in data leakage and poses a security risk.
Please let me know if you need any additional information or if there are any suggested workarounds. Thank you!
Beta Was this translation helpful? Give feedback.
All reactions