Decidim: Forms admin question editor lacks authorization
Description
A participant can load the demographics questionnaire admin editor and make changes.
Technical description
The demographics questionnaire editor should require admin access, but the route under /admin/demographics/questions renders the editor interface without checking whether the caller is an admin. A normal participant can load the page and see the live update form action, which proves the protected interface is reachable.
Reproduction steps:
Step 1. Sign in as a normal participant: Open http://localhost:3000/users/sign_in.
Step 2. Request the admin-only editor directly. Open http://localhost:3000/admin/demographics/questions/edit_questions in the same browser.
Step 3. Add another question:
Note that access was denied when attempting to see question responses or settings.
Impact
- Low-privilege users can access questionnaire-admin interfaces.
- They can read question-management surfaces that should remain limited to questionnaire managers.
Patches
See https://github.com/decidim/decidim/pull/16665
Workarounds
Disable the "decidim-demographics" module
Reference
OWASP A01:2021 Broken Access Control
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.