--- issue: 055 title: "DELETE /api/files/delete has no ownership check — requires new persistence layer (NB-27 skipped)" severity: high domain: File Management labels: [security, backend, idor, skipped-nobrainer] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # DELETE /api/files/delete has no ownership check — requires new persistence layer (NB-27 skipped) **Severity:** high **Domain:** File Management **Labels:** security, backend, idor, skipped-nobrainer ## Description `fileService.deleteFile()` is a pure filesystem path operation — there is no `File` model and no `createdBy`/`owner` field stored anywhere in the database. Any authenticated user who knows (or guesses) another user's filename can delete that file via `DELETE /api/files/delete?filename=...`. This was triaged as NB-27 but skipped because adding an ownership check requires first creating a new File persistence layer (model + write-on-upload path), which is a larger-than-mechanical change that risks introducing new bugs. ## What is Needed 1. Create a `File` model (or add an `uploads` sub-document to the User model) that records `{ filename, uploadedBy: ObjectId, createdAt }` when a file is stored. 2. Add a middleware or controller check in `fileController.deleteFile` that looks up the record and requires `req.user.id === file.uploadedBy` (or admin). 3. Back-fill the upload handler to write the record on every `POST /api/files/upload`. ## Affected Files - `backend/src/services/file/fileController.ts` — add ownership check - `backend/src/services/file/fileRoutes.ts` — (route already protected by `authenticateToken`) - New: `backend/src/models/File.ts` (or equivalent) — persistence layer ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md)