OpenSchoolEd: IDOR Flaws Expose Student Data in Discipline, Billing, and Gradebook Modules
A critical security vulnerability pattern has been identified within the OpenSchoolEd platform, exposing student data to unauthorized access and manipulation. The flaw is an Insecure Direct Object Reference (IDOR) affecting core administrative functions. While view and list operations correctly restrict data based on user roles and school scopes, the corresponding save and delete operations lack these critical checks, relying solely on a record's ID number. This inconsistency creates a direct path for users to alter or delete records they should not have access to.
The vulnerability is not isolated to a single feature but is a systemic pattern across multiple high-impact modules. In the Discipline/Referrals module, the save and delete functions perform database updates using only a `referral_id` parameter, bypassing the school, year, and student relationship checks enforced in the view logic. The Student Billing module exhibits the same flaw, where payment and fee records can be modified without verifying the user's association with the correct student or school. Similarly, the Gradebook Assignments module allows for the deletion of assignments without confirming the teacher's access to the specific course period.
This architectural oversight poses a significant risk to data integrity and student privacy. An authenticated user—such as a teacher in one school or a parent of one student—could potentially alter disciplinary records, manipulate financial transactions, or delete academic assignments belonging to other students or institutions within the same deployment. The report, filed via a public GitHub issue due to lack of access to the recommended private GitLab channel, highlights a class of vulnerability requiring a systematic code review and patch. The fix pattern involves applying the same role-based and institutional scoping logic used in 'view' operations to all mutating 'save' and 'delete' functions across the platform.