✓ Broken Access Control

### Describe the bug
The color-palette endpoint on visualize.admin.ch does not properly check permissions on update and delete requests. This will allow anyone to change or delete other users color palettes and most likely also the default palettes.

### Steps to Reproduce
1..  Intercept your browser
2.  Login to https://test.visualize.admin.ch/ (same works on https://visualize.admin.ch)
3.  Go to your profile ->  My color  palettes, here https://test.visualize.admin.ch/en/profile?dataSource=Test-uncached
4.  Create  a new palette. It will create it  based on an autogenerated GUID.
5.  Now if you edit the color palette again and save it you have the option to provide a different GUID (its a string so it is most likely also possible to edit the default palettes, you can try with "category10" for example). To just test for the broken access control you should create a secondary user and use that users paletteId. Just change it in the PUT request. See screenshot_1
6. The same applies to the DELETE request. You can delete your own palette and then replay the request with another ID. See screenshot_2
7. Now to impact arbitrary users you have several ways to get paletteIds.
8. You can get the newest configurations of charts from here (desceding orders, if you create a new draft it will already store the paletteId you have assigned and show up there) https://test.visualize.admin.ch/api/config/all?limit=55 - see screenshot_3
9. If you  open any chart you can  find on  google (or archive.org etc) the paletteId is also inside the HTML as a json blob - see screenshot_4. These can be used to either update or delete.

### Screenshots or video
Screenshot 1
<img width="786" height="779" alt="Image" src="https://github.com/user-attachments/assets/d48bd9b5-37b9-442f-9d26-092f619138fe" />

Screenshot 2
<img width="1376" height="780" alt="Image" src="https://github.com/user-attachments/assets/e3434005-6582-4f22-b809-10a3995365ad" />

Screenshot 3
<img width="1668" height="1210" alt="Image" src="https://github.com/user-attachments/assets/ef2b368e-474b-4d16-bcbc-e903745922f8" />

Screenshot 4
<img width="949" height="749" alt="Image" src="https://github.com/user-attachments/assets/408e3648-025f-4850-87f4-3f4655f62689" />

### Impact
Change or Remove anyones color palettes, potentially also do the same to the default palettes.

### Remediation
Properly check if the current session is the same user as the owner of the palette.

### Environment
The bug has only been reported and documented for the producive environment. However, please make sure to also have deeper look at all other environments you may operate.
(e.g. acceptance-, reference-, test-environment, etc.). The described bug may also be present there.

### Additional context
Source: Bug Bounty Email from Reto on 07.10.2025
Also see:  [PILOTAGE-trunk.txt](https://github.com/user-attachments/files/22750392/PILOTAGE-trunk.txt)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

✓ Broken Access Control #2467

Describe the bug

Steps to Reproduce

Screenshots or video

Impact

Remediation

Environment

Additional context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

✓ Broken Access Control #2467

Description

Describe the bug

Steps to Reproduce

Screenshots or video

Impact

Remediation

Environment

Additional context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions