CriticalAuthentication & accessF-01
Row-level security not enforced on the orders table
- What we found
- The app checks the logged-in user in the interface, but the database allows any authenticated user to read every row of the orders table. A crafted request returns other customers' orders, including names and amounts.
- Why it matters
- This is a data breach waiting to happen. One curious user with the browser dev tools open can read the whole customer list, which is both a trust failure and a GDPR incident.
- Recommended fix
- Enable row-level security on the table and add a policy that limits each row to its owning user. Enforce it in the database, not the client, and add a test that proves user A cannot read user B's orders.