Critical Authorization Bypass: DELETE /stream/schedules/:id Allows Any Authenticated User to Cancel Other Users' Recurring Donations

A critical broken object-level authorization (BOLA/IDOR) vulnerability has been identified in the `DELETE /stream/schedules/:id` endpoint, allowing any authenticated user with the `stream:delete` permission to cancel recurring donation schedules belonging to other users. The endpoint fails to verify that the requesting user's `publicKey` matches the `donorPublicKey` associated with the target schedule, creating a horizontal privilege escalation flaw. Security researchers note this represents a textbook IDOR pattern where object-level access controls are missing entirely from the authorization logic.

The vulnerability operates through a straightforward exploitation chain. A user with `stream:delete` permission can send a DELETE request targeting any schedule ID—regardless of ownership—to immediately terminate another user's recurring donation. User A creates a recurring donation schedule (ID: 1), while User B, possessing the required permission, sends `DELETE /stream/schedules/1` to cancel User A's schedule without any notification to the original donor. The missing ownership check means the system processes the deletion based solely on the presence of valid authentication credentials, not on the relationship between the requester and the target object.

The implications extend beyond individual schedule cancellations. Malicious actors with `stream:delete` access could systematically disrupt recurring donation programs by targeting multiple users, potentially damaging donor relationships and platform trust. The acceptance criteria outlined for the fix require that ownership verification be implemented so that only the schedule creator or an admin can modify a schedule, while non-owners receive a 403 Forbidden response. All schedule modification endpoints must undergo the same authorization review to prevent similar bypasses. The fix demands comprehensive testing to ensure non-owners cannot cancel schedules under any circumstances.