Security Alert: IDOR Vulnerability Exposes Unauthorized Canvas Access via URL Slug Manipulation

A critical Insecure Direct Object Reference (IDOR) vulnerability has been identified, allowing unauthorized users to potentially access or modify collaborative canvases (rooms) simply by guessing or altering the slug in the URL. This flaw bypasses intended access controls, exposing sensitive collaborative spaces to data breaches and unauthorized edits. The core failure is a lack of server-side authorization validation, placing trust in frontend mechanisms that can be circumvented.

The vulnerability's scope is extensive, impacting both HTTP requests and WebSocket connections. Specifically, the endpoints `GET /room/:slug`, WebSocket join events, and all shape mutation actions currently lack proper backend enforcement to verify a user's membership or ownership of a room before granting access. The system's design may be missing a fundamental Room Membership model to define the relationship between users and rooms, relying instead on a potentially flawed or absent permission-checking layer.

This security gap mandates immediate backend fixes to establish a robust authorization layer. Critical actions include validating user identity and room permissions on every request, never trusting the frontend for access control. Implementation paths involve either adding a User ↔ Room membership relation or, as a simpler initial approach, restricting canvas access to admin-only privileges. Failure to address this IDOR risk leaves all collaborative data on the platform exposed to manipulation and unauthorized viewing through simple URL parameter tampering.