Skip to content

fix: add missing installation ownership check in VCS delete endpoint#11917

Open
yogeshwaran-c wants to merge 1 commit intoappwrite:1.9.xfrom
yogeshwaran-c:fix/vcs-installation-delete-ownership-check-v2
Open

fix: add missing installation ownership check in VCS delete endpoint#11917
yogeshwaran-c wants to merge 1 commit intoappwrite:1.9.xfrom
yogeshwaran-c:fix/vcs-installation-delete-ownership-check-v2

Conversation

@yogeshwaran-c
Copy link
Copy Markdown

@yogeshwaran-c yogeshwaran-c commented Apr 16, 2026

Summary

  • Added missing project scoping check to DELETE /v1/vcs/installations/:installationId
  • The delete endpoint previously only verified that the installation document existed; it did not verify that the installation belonged to the current project
  • The corresponding GET /v1/vcs/installations/:installationId endpoint already performs this check ($installation->getAttribute('projectInternalId') !== $project->getSequence()), and the listInstallations endpoint scopes its query by projectInternalId — so this was an oversight in the delete endpoint
  • Without this check, a caller with admin credentials in project A could delete an installation belonging to project B by passing its installation ID, breaking tenant isolation for VCS installations

Test plan

  • Verify that deleting an installation that belongs to the current project returns 204 No Content as before
  • Verify that attempting to delete an installation ID that belongs to a different project returns a 404 (INSTALLATION_NOT_FOUND) instead of succeeding
  • Verify that the installation document in the other project is not deleted in the unauthorized case
  • Verify getInstallation and listInstallations behavior is unchanged

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Apr 16, 2026

Greptile Summary

This PR fixes a tenant-isolation vulnerability in DELETE /v1/vcs/installations/:installationId by adding the project ownership check that was already present in the sibling GET endpoint. The implementation is a minimal, correct addition that matches the established pattern across the VCS module.

Confidence Score: 5/5

Safe to merge — single-file security fix with no logic issues.

The change is a one-liner ownership guard that exactly mirrors the existing check in Get.php. All necessary pieces (import, injection, parameter, guard) are present and correct. No P0/P1 findings.

No files require special attention.

Important Files Changed

Filename Overview
src/Appwrite/Platform/Modules/VCS/Http/Installations/Delete.php Adds missing project ownership check to delete endpoint, mirroring the existing check in Get.php; injects $project, adds the Document import, and throws INSTALLATION_NOT_FOUND on mismatch — correct and complete.

Reviews (1): Last reviewed commit: "fix: add missing installation ownership ..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yogeshwaran-c