[BUG]: Wardens Able to Submit Reports for Role-Specific Audits #12333
Labels
bug
Something isn't working
Comments
kaveyjoe
changed the title
|
Hi @kaveyjoe, thanks for the report! I pinged the C4 builder team about this again today and wanted to confirm that they are looking into it. Appreciate the detailed writeup. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
## Description
There is an issue with the audit submission process on Code4rena. Audits are intended to be limited to specific participants, specifically to certified/backstage role members. However, any warden, regardless of their role association, can submit a report for these audits.
Impact
This has the potential to compromise the integrity of audits by allowing unauthorized wardens to submit reports for audits they are not eligible for.
To Reproduce
1 . Log in to the Code4rena platform.
2 . Navigate to the audit page that is intended only for certified/backstage role members.
3 . Instead of being restricted, any warden user can access the submission form directly by appending "/submit" to the audit link (e.g., https://code4rena.com/audits/audit-name/submit).
4 . The report submission form opens without any validation to check if the user is eligible for this audit.
Expected behavior
Only limited specific participants should be able to access the report submission form for audits limited to specific participants . Any attempt by other wardens or users without the proper role should be denied access to the submission form.
Actual Behaviour
Currently, any warden can access the report submission form for audits intended only members. The system allows them to submit reports without any validation or checks for eligibility.
The text was updated successfully, but these errors were encountered: