Security: Cross-board card creation/copy IDOR + unrestricted board search #4429
Description
Summary
Three authorization vulnerabilities were found in RestyaBoard:
1. Cross-Board Card Creation IDOR (CRITICAL)
File: `server/php/R/r.php`, lines 4812-4843
Endpoint: `POST /boards/{boardId}/lists/{listId}/cards`
The `checkAclLinks` authorization validates board membership using the URL path (`$r_resource_vars['boards']`), but card creation uses `$r_post['board_id']` from the POST body. Attacker specifies different board_id in POST body to create cards in unauthorized boards.
Secure pattern (line 4591 for boards/users):
`$r_post['board_id'] = $r_resource_vars['boards'];`
Vulnerable (cards handler): uses `$r_post['board_id']` directly without override.
2. Cross-Board Card Copy IDOR (CRITICAL)
File: `server/php/R/r.php`, lines 6037-6150
Endpoint: `POST /boards/{boardId}/lists/{listId}/cards/{cardId}/copy`
Uses `array_merge($srow, $r_post)` (line 6074) allowing user POST data to override board_id/list_id from the source card. Attacker can copy cards to any board.
3. Unrestricted Board Search (HIGH)
File: `server/php/R/r.php`, lines 1729-1743
Endpoint: `GET /boards/search?q={query}`
Query has NO visibility/membership checks - returns ALL boards. Compare to `/organizations/?` which correctly checks `organization_visibility` and `user_id`.
Fix
- Card creation: Add `$r_post['board_id'] = $r_resource_vars['boards'];`
- Card copy: Force destination from URL after array_merge, or validate access
- Board search: Add visibility and membership WHERE conditions