realm_export: Restrict deletion to users in the same realm.

This fixes CVE-2025-30368. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2025-10-23 04:52:12 +00:00 · 2025-03-27 02:03:19 -07:00
parent 9b33e3bb14
commit cce3c7ebb1
1 changed files with 1 additions and 1 deletions
--- a/zerver/views/realm_export.py
+++ b/zerver/views/realm_export.py
@@ -136,7 +136,7 @@ def get_realm_exports(request: HttpRequest, user: UserProfile) -> HttpResponse:
@require_realm_admin
 def delete_realm_export(request: HttpRequest, user: UserProfile, export_id: int) -> HttpResponse:
    try:
-        export_row = RealmExport.objects.get(id=export_id)
+        export_row = RealmExport.objects.get(realm_id=user.realm_id, id=export_id)
    except RealmExport.DoesNotExist:
        raise JsonableError(_("Invalid data export ID"))