Severity: CRITICAL
Location: lib/Controller/ContactpersonenController.php lines 1022–1113; lib/Service/ContactpersoonService.php lines 1273–1404
Description:
POST /api/contactpersonen/{id}/disable is @NoAdminRequired with zero service-level authorisation. Any authenticated user can disable any account by ID, including the admin account. Combined with C2 (privilege escalation) this creates a permanent admin lockout: escalate to super-user, disable admin, take over the instance.
Scenario:
POST /api/contactpersonen/<admin-contact-id>/disable
Sent as any authenticated user → admin account disabled → permanent lockout.
Suggested fix:
- Gate with admin or org-admin check.
- Verify that the caller has authority over the target contact's organisation before allowing disable.
Source: deep team-reviewer pass 2026-05-27
Severity: CRITICAL
Location:
lib/Controller/ContactpersonenController.phplines 1022–1113;lib/Service/ContactpersoonService.phplines 1273–1404Description:
POST /api/contactpersonen/{id}/disableis@NoAdminRequiredwith zero service-level authorisation. Any authenticated user can disable any account by ID, including the admin account. Combined with C2 (privilege escalation) this creates a permanent admin lockout: escalate to super-user, disable admin, take over the instance.Scenario:
Sent as any authenticated user → admin account disabled → permanent lockout.
Suggested fix:
Source: deep team-reviewer pass 2026-05-27