Issue #3607979: Enforce per-file access and CSRF on PDF scan endpoints

Fixes an IDOR: the queue-scan, scan/start and scan/accessibility endpoints loaded files/status entities by a caller-supplied ID with no access check, so any user holding the (non-restricted) "check pdf accessibility" permission could enumerate arbitrary IDs to read other users' accessibility reports or push private files to the Adobe API.

  • Add PdfServicesScanController::userCanAccessFile() (owner, direct file view access, or view access to a referencing entity) and enforce it in all three endpoints; checkAccessibility now resolves the file behind the status_id first.
  • Make the three routes POST-only and require _csrf_request_header_token.
  • Update the widget JS to fetch a session token and send it as the X-CSRF-Token header on both scan requests.
  • Rework ScanControllerTest for POST + CSRF and add coverage for the private-file IDOR denial, missing-token rejection, and GET rejection.

Co-Authored-By: Claude Fable 5 noreply@anthropic.com

Closes #3607979

Merge request reports

Loading