Skip to content

Fix: Prevent identity spoofing in document creation by enforcing server-side ownership#12153

Open
vivekrajpoot484-crypto wants to merge 3 commits intoappwrite:1.9.xfrom
vivekrajpoot484-crypto:fix-createdby-impersonation
Open

Fix: Prevent identity spoofing in document creation by enforcing server-side ownership#12153
vivekrajpoot484-crypto wants to merge 3 commits intoappwrite:1.9.xfrom
vivekrajpoot484-crypto:fix-createdby-impersonation

Conversation

@vivekrajpoot484-crypto
Copy link
Copy Markdown

@vivekrajpoot484-crypto vivekrajpoot484-crypto commented Apr 27, 2026

What does this PR do?

This PR prevents identity spoofing during document creation by enforcing server-side ownership.

It removes trust from client-provided identity fields ($createdBy, $owner, ownerId, userId) and ensures ownership is always derived from the authenticated user session only.

This fixes a security issue where malicious clients could attempt to impersonate other users by injecting identity fields in the request payload.

Test Plan

  1. Create a document using an authenticated user session.
  2. Verify $createdBy is automatically set to the authenticated user ID.
  3. Attempt to send custom identity fields in the request ($createdBy, userId, etc.).
  4. Confirm these fields are ignored and overwritten by the server.
  5. Verify document ownership is always tied to the logged-in user only.
  6. Test API key requests to ensure $createdBy is null when no user session exists.

Related PRs and Issues

  • N/A

Checklist

  • Have you read the Contributing Guidelines on issues?
  • Changes enforce server-side ownership validation
  • No breaking changes to API schema or permissions system
  • Identity fields are properly sanitized before processing

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented Apr 27, 2026
edited
Loading

Greptile Summary

This PR attempts to prevent identity spoofing in document creation by stripping client-provided identity fields and enforcing server-side ownership via $createdBy. However, the implementation introduces several critical regressions that break core Appwrite functionality and corrupt user data — all of which have been flagged in the inline comments above.

Confidence Score: 0/5

Not safe to merge — the PR breaks server-token/API-key document creation, silently drops legitimate user-defined collection attributes, and conflicts with the database layer's authoritative ownership assignment.

Multiple P0 issues are present: the early isEmpty() guard completely blocks API-key and admin server-token requests (a fully supported auth mode declared in the SDK metadata), unsetting userId, ownerId, and permissions destroys user data in any collection that legitimately uses those attribute names, and overwriting $createdBy at the application layer conflicts with the existing database-layer assignment and silently sets it to an empty string for API-key sessions.

src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php requires a full re-review of the ownership-enforcement approach.

Important Files Changed

Filename Overview
src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php Security fix attempt that introduces multiple critical regressions: early null/empty guard breaks API-key and admin server-token requests, unsetting userId/ownerId/permissions silently corrupts user-defined collection attributes, and force-assigning $createdBy at the application layer conflicts with the database layer's authoritative ownership derivation.

Reviews (3): Last reviewed commit: "Merge branch '1.9.x' into fix-createdby-..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Apr 27, 2026
View reviewed changes
Comment thread src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php Outdated
Comment thread src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php
Comment thread src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php
greptile-apps[bot]
greptile-apps Bot reviewed Apr 28, 2026
View reviewed changes
Comment thread src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php
Comment thread src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php
$document['userId'],
$document['createdBy'],
$document['ownerId'],
$document['permissions']
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Unsetting permissions corrupts user-defined fields

permissions (without the $ prefix) is not a system-reserved field — the actual Appwrite system field is $permissions. Any user collection that has an attribute literally named permissions will have that field silently dropped from every document being created. Only $-prefixed system fields should be stripped here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vivekrajpoot484-crypto