#PT22227_1 Broken Access Control Executing NXQL Queries as Regular User

Tested URL : https://pentest-2023.beta.nuxeocloud.com/nuxeo/api/v1/search/pp/nxql_search/execute?currentPageIndex=:pageIndex&offset=:offset&pageSize=:pageSize&queryParams=:query

Severity : medium

Criticality Justification
A regular user can execute NXQL searches without restrictions thus accessing to documents that do not belong to him

Steps To Reproduce
Step 1: Login with a regular user to the application (user-pentest-1 or user-pentest-2)
Step 2: Execute a GET request to the endpoint /nuxeo/api/v1/search/pp/nxql_search/execute with the user's session including the following parameters currentPageIndex=0&pageSize=20&queryParams=SELECT%20*%20FROM%20Document (https://api.us.cobalt.io/v1/attachments/att_Wr01QgY/preview)
The user will be able to access document details from other users such as nco-admin or pentest-admin which are not available in regular queries in the endpoint /nuxeo/api/v1/search/execute which is the one regular users use.

Suggested Fix
Perform an access check before returning or processing the information in the /nuxeo/api/v1/search/pp/nxql_search/execute endpoint, which should be available to Admins only. In case that the user does not have access to that resource, simply reject the request.

Prerequisites
Authenticated user required