Skip to content

fix: Enforce task author immutability upon modification#38

Merged
Mike031289 merged 2 commits into
developfrom
fix/task-author-immutable
Jul 8, 2026
Merged

fix: Enforce task author immutability upon modification#38
Mike031289 merged 2 commits into
developfrom
fix/task-author-immutable

Conversation

@Mike031289

Copy link
Copy Markdown
Owner

Description

This Pull Request addresses a data integrity vulnerability where editing an existing task could potentially alter or clear its original author. It ensures that the task's ownership remains strictly immutable during a POST form submission, blocking any external attempt to falsify or wipe out data ownership.

Changes Made

1. Form Protection (src/AppBundle/Form/TaskType.php)

  • Inspected the form structure to ensure no user or author field is exposed or modifiable by the client during edition.

2. Controller Security (src/AppBundle/Controller/TaskController.php)

  • Updated editAction() to snapshot the $originalAuthor reference before handling the request payload.
  • Forced re-assignment of the original author right before flushing the entity manager ($task->setUser($originalAuthor)), making the property fully tamper-proof.

3. Functional Testing (tests/AppBundle/Controller/TaskControllerTest.php)

  • Implemented testEditTaskUserRemainsImmutable() using HTTP Basic Auth.
  • The test simulates a task modification via a POST request, flushes/clears the Doctrine identity map, and asserts via database IDs that the title was updated while the user relation remained untouched.

How to Test / Review

  1. Switch to this branch: git checkout fix/task-author-immutable
  2. Reset the test environment and database fixtures:
    php bin/console cache:clear --env=test
    php bin/console doctrine:schema:update --force --env=test
    php bin/console doctrine:fixtures:load --env=test -n

@Mike031289 Mike031289 self-assigned this Jul 8, 2026
@Mike031289 Mike031289 added bug Something isn't working enhancement New feature or request feature Extra attention is needed security labels Jul 8, 2026
@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric Results
Complexity 0
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@Mike031289
Mike031289 merged commit 5ca7f87 into develop Jul 8, 2026
2 checks passed
@github-project-automation github-project-automation Bot moved this from Backlog to Done in @Mike031289's ToDo-Co Jul 8, 2026
@Mike031289
Mike031289 deleted the fix/task-author-immutable branch July 8, 2026 18:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working enhancement New feature or request feature Extra attention is needed security

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

1 participant