fix(sec): Cross-Tenant-IDOR bei POP3-Konten schließen

Gleiches Muster wie bei IMAP (730099d): domain_admin konnte POP3-Konten fremder Tenants auflisten, löschen und Importe/Progress fremder Tenants ansehen, da pop3_accounts keine tenant_id hatte und Store.List() für Admins ungefiltert alle Konten lieferte. - pop3_accounts: neue Spalte tenant_id (ALTER TABLE ADD COLUMN IF NOT EXISTS) - Store.List() filtert nach tenant_id, außer für superadmin - Store.Create() setzt tenant_id beim Anlegen - delete/start-import/progress prüfen zusätzlich tenantAccessAllowed()
2026-06-12 23:31:56 +02:00
parent 730099d2aa
commit 501ee8f7ea
2 changed files with 22 additions and 10 deletions
@@ -34,6 +34,7 @@ type Account struct {
 	ProgressCurrent int        `json:"progress_current"`
 	ProgressTotal   int        `json:"progress_total"`
 	CreatedAt       time.Time  `json:"created_at"`
+	TenantID        *int64     `json:"tenant_id,omitempty"`
 }

 // Store manages POP3 account persistence in PostgreSQL.
@@ -62,6 +63,7 @@ CREATE TABLE IF NOT EXISTS pop3_accounts (
 	created_at       TIMESTAMPTZ NOT NULL DEFAULT now()
 );
 CREATE INDEX IF NOT EXISTS idx_pop3_accounts_owner ON pop3_accounts (owner);
+ALTER TABLE pop3_accounts ADD COLUMN IF NOT EXISTS tenant_id INTEGER REFERENCES tenants(id);
 `

 // New creates a new Store, connects to PostgreSQL, and runs the schema migration.
@@ -93,10 +95,10 @@ func (s *Store) Create(ctx context.Context, acc Account, password string) (*Acco
 	}

 	row := s.pool.QueryRow(ctx, `
-		INSERT INTO pop3_accounts (owner, name, host, port, tls, tls_skip_verify, username, password_enc)
-		VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
+		INSERT INTO pop3_accounts (owner, name, host, port, tls, tls_skip_verify, username, password_enc, tenant_id)
+		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
 		RETURNING id, created_at`,
-		acc.Owner, acc.Name, acc.Host, acc.Port, acc.TLS, acc.TLSSkipVerify, acc.Username, enc,
+		acc.Owner, acc.Name, acc.Host, acc.Port, acc.TLS, acc.TLSSkipVerify, acc.Username, enc, acc.TenantID,
 	)

 	if err := row.Scan(&acc.ID, &acc.CreatedAt); err != nil {
@@ -111,7 +113,7 @@ func (s *Store) Create(ctx context.Context, acc Account, password string) (*Acco
 // selectColumns is the canonical column list used in all SELECT statements.
 const selectColumns = ` id, owner, name, host, port, tls, tls_skip_verify, username,
 	status, error_msg, last_import_at, last_import_count,
-	progress_current, progress_total, created_at `
+	progress_current, progress_total, created_at, tenant_id `

 // scanner abstracts pgx.Row and pgx.Rows — both expose Scan(...any) error.
 type scanner interface {
@@ -123,21 +125,26 @@ func scanRow(row scanner) (Account, error) {
 	err := row.Scan(
 		&a.ID, &a.Owner, &a.Name, &a.Host, &a.Port, &a.TLS, &a.TLSSkipVerify, &a.Username,
 		&a.Status, &a.ErrorMsg, &a.LastImportAt,
-		&a.LastImportCount, &a.ProgressCurrent, &a.ProgressTotal, &a.CreatedAt,
+		&a.LastImportCount, &a.ProgressCurrent, &a.ProgressTotal, &a.CreatedAt, &a.TenantID,
 	)
 	return a, err
 }

-// List returns POP3 accounts. Admins see all accounts; regular users see only their own.
-func (s *Store) List(ctx context.Context, owner string, isAdmin bool) ([]Account, error) {
+// List returns POP3 accounts. Superadmins (tenantID == nil) see all accounts;
+// other admins (tenantID != nil) see all accounts within their own tenant;
+// regular users see only their own accounts.
+func (s *Store) List(ctx context.Context, owner string, isAdmin bool, tenantID *int64) ([]Account, error) {
 	var rows pgx.Rows
 	var err error

 	q := `SELECT` + selectColumns + `FROM pop3_accounts`

-	if isAdmin {
+	switch {
+	case isAdmin && tenantID == nil:
 		rows, err = s.pool.Query(ctx, q+` ORDER BY id`)
-	} else {
+	case isAdmin:
+		rows, err = s.pool.Query(ctx, q+` WHERE tenant_id = $1 ORDER BY id`, *tenantID)
+	default:
 		rows, err = s.pool.Query(ctx, q+` WHERE owner = $1 ORDER BY id`, owner)
 	}
 	if err != nil {