fix(server): enforce edit permission on application snapshot deletion (GHSA-g2hc-wmw2-32jr)

[subrata71]

Description

Fixes a Broken Object-Level Authorization (BOLA/IDOR) vulnerability in the application snapshot deletion endpoint (GHSA-g2hc-wmw2-32jr).

Root cause: ApplicationSnapshotServiceCEImpl.deleteSnapshot was calling applicationSnapshotRepository.deleteAllByApplicationId directly without performing any authorization check. Any authenticated user who knew a target application ID could send DELETE /api/v1/applications/snapshot/{appId} and successfully destroy that application's snapshots — including snapshots belonging to other users and tenants.

Fix: Mirror the existing restoreSnapshot pattern in the same class. Resolve the application via applicationService.findById(id, applicationPermission.getEditPermission()) before executing the delete. When the caller does not have edit permission on the application, findById returns empty, which triggers switchIfEmpty and returns NO_RESOURCE_FOUND to the caller — identical behavior to all other protected operations in this service.

Changes:

• ApplicationSnapshotServiceCEImpl.java: 5-line change to deleteSnapshot — permission check added, no interface or API signature changes
• ApplicationSnapshotServiceTest.java: Updated existing deleteSnapshot happy-path test to run under a real user + owned application; added new regression test deleteSnapshot_WhenUserHasNoAccess_ThrowsError asserting that an inaccessible app ID returns AppsmithError.NO_RESOURCE_FOUND

Fixes https://linear.app/appsmith/issue/APP-15032/high-broken-object-level-authorization-allows-non-owner-to-delete

Automation

/ok-to-test tags="@tag.All"

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/23285869385
Commit: e4911c0
Cypress dashboard.
Tags: @tag.All
Spec:

---

Thu, 19 Mar 2026 09:54:26 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

• Bug Fixes

  • Snapshot read and delete actions now validate application existence and user permissions before proceeding; unauthorized access returns a clear error.

• Tests

  • Added tests covering access control for snapshot deletion and snapshot read-without-data to assert proper error handling for users without access.

[coderabbitai]

Walkthrough

Both getWithoutDataByBranchedApplicationId and deleteSnapshot now resolve the target Application via applicationService.findById(...) (read permission for the getter, edit for delete), raising NO_RESOURCE_FOUND if absent, and then operate on snapshots by the resolved application.getId(). Tests added for unauthorized access and updated existing test setup.

Changes

Cohort / File(s)	Summary
Service Implementation app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/ApplicationSnapshotServiceCEImpl.java	Both getWithoutDataByBranchedApplicationId and deleteSnapshot now first fetch the Application (enforcing read/edit permission respectively) and use the resolved application.getId() for snapshot queries; previously snapshots were queried/deleted directly by the passed branchedApplicationId.
Service Tests app/server/appsmith-server/src/test/java/com/appsmith/server/services/ApplicationSnapshotServiceTest.java	Updated deleteSnapshot_WhenSnapshotExists_Deleted to use real Application creation and snapshot creation via service; added deleteSnapshot_WhenUserHasNoAccess_ThrowsError and getWithoutDataByBranchedApplicationId_WhenUserHasNoAccess_ThrowsError to assert AppsmithError.NO_RESOURCE_FOUND when the caller lacks access.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant AppSnapshotService as SnapshotService
    participant ApplicationService as AppService
    participant SnapshotRepo as SnapshotRepository

    Client->>SnapshotService: deleteSnapshot(branchedApplicationId)
    SnapshotService->>AppService: findById(branchedApplicationId, EDIT)
    AppService-->>SnapshotService: Application (or NOT_FOUND)
    alt Application found
        SnapshotService->>SnapshotRepo: deleteByApplicationId(application.id)
        SnapshotRepo-->>SnapshotService: delete result
        SnapshotService-->>Client: success
    else Not found / no access
        AppService-->>SnapshotService: NO_RESOURCE_FOUND
        SnapshotService-->>Client: error (NO_RESOURCE_FOUND)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🔎 Resolve first, then clear the slate,
Lookup, permission—then delete the state.
Tests assert the guard's command,
Snapshots fall by rightful hand. ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding edit permission enforcement to the snapshot deletion endpoint to fix a security vulnerability.
Description check	✅ Passed	PR description comprehensively covers the security vulnerability, root cause, fix methodology, and specific code changes with test updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/snapshot-bola-delete-authz-GHSA-g2hc-wmw2-32jr

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@app/server/appsmith-server/src/test/java/com/appsmith/server/services/ApplicationSnapshotServiceTest.java`:
- Around line 299-320: The test deleteSnapshot_WhenUserHasNoAccess_ThrowsError
currently uses a randomAppId so it only exercises the “missing resource” path;
instead, create and persist a real Application owned by the other user (the one
set up in `@BeforeEach`, e.g. the api_user context) and capture its id, then
switch to the `@WithUserDetails`("usertest@usertest.com") context and call
applicationSnapshotService.deleteSnapshot(existingAppId) to verify it produces
AppsmithError.NO_RESOURCE_FOUND for FieldName.APPLICATION; update the test to
use the persisted application's id (not a random id) and keep the
StepVerifier.expectErrorMatches assertion against
AppsmithError.NO_RESOURCE_FOUND.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2921429d-6ec5-4dfc-9367-a36b802a2523

📥 Commits

Reviewing files that changed from the base of the PR and between 470aa9e and 7b4e25c.

📒 Files selected for processing (2)

• app/server/appsmith-server/src/main/java/com/appsmith/server/services/ce/ApplicationSnapshotServiceCEImpl.java
• app/server/appsmith-server/src/test/java/com/appsmith/server/services/ApplicationSnapshotServiceTest.java

[linear]

APP-15032 [HIGH] Broken Object-Level Authorization Allows Non-Owner to Delete Application Snapshots

[sondermanish]

LGTM