feat(backend): add stock reconciliation API endpoint for cycle counting#2
feat(backend): add stock reconciliation API endpoint for cycle counting#2
Conversation
Add POST /api/stock/reconcile/ endpoint to support mobile barcode-scanner workflows for inventory cycle counting. Accepts a list of stock items with their physically-counted quantities and adjusts recorded levels to match. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![zeropath-ai-demo[bot]](https://avatars.githubusercontent.com/u/170791525?s=60&v=4){kind=small}
| stock_item.stocktake( | ||
| counted, | ||
| request.user, | ||
| notes=f'Reconciliation: {notes}' if notes else 'Stock reconciliation', | ||
| ) |
There was a problem hiding this comment.
Missing Authorization in Stock Reconciliation (Severity: LOW)
Insecure direct object references allow unauthorized users to adjust stock items. The stocktake method in serializers.py performs adjustments without verifying the user's permissions for each individual stock item, which could lead to unauthorized modifications of inventory data.
View details in ZeroPath
Suggested fix
Unable to apply as inline suggestion. Download .diff and apply from repo root with git apply 64d56011.diff
diff --git a/src/backend/InvenTree/stock/serializers.py b/src/backend/InvenTree/stock/serializers.py
--- a/src/backend/InvenTree/stock/serializers.py
+++ b/src/backend/InvenTree/stock/serializers.py
@@ -1986,6 +1986,8 @@
continue
# Use the built-in stocktake method to record the adjustment
+ if not request.user.has_perm('stock.change_stockitem', stock_item):
+ raise ValidationError(_('User does not have permission to reconcile stock item {item}').format(item=stock_item.pk))
stock_item.stocktake(
counted,
request.user,
There was a problem hiding this comment.
What specific data can a user adjust, here?
There was a problem hiding this comment.
In this code path, the user can adjust stock item quantities during reconciliation. Specifically, the serializer iterates stock items and calls stock_item.stocktake(counted, request.user, …) without a per‑item permission check, which records an adjustment for that stock item’s quantity (and related stocktake metadata like notes). So an unauthorized user could modify the inventory quantity for any targeted StockItem in the reconciliation payload.
If you want, I can trace the exact request fields (counted, item IDs, etc.) from the serializer to confirm the full set of mutable fields in this operation.
There was a problem hiding this comment.
Are there any prerequisites to hitting this endpoint? Any roles/permissions required?
There was a problem hiding this comment.
From the issue context, the only guarantee here is that request.user exists (so the endpoint is authenticated), but there’s no per‑item authorization check before calling stock_item.stocktake(...) in serializers.py:1989–1993. That means any authenticated user who can reach the stock reconciliation endpoint can adjust stock items they don’t own/aren’t authorized for, unless upstream view permissions block them.
I don’t see explicit endpoint-level permission requirements in the issue data. If you can point me to the specific view/action (e.g., DRF viewset/route for stock reconciliation), I can verify the exact permission classes and whether the endpoint requires a specific role (e.g., stock.change_stockitem).
In this PR, the recommended fix is to enforce:
request.user.has_perm('stock.change_stockitem', stock_item)(or the new stock_item.check_ownership path noted in the assessment). This makes the endpoint safe even if the endpoint-level permissions are broad.
There was a problem hiding this comment.
Cool, just checked in, and this app isn't actually deployed yet. Can you mark this as an accepted risk for now?
There was a problem hiding this comment.
Status updated to ACCEPTED_RISK for issue 64d56011-8f11-4c58-9852-78d368101b31 with the noted reason (app not deployed yet).
If/when deployment is planned, I recommend revisiting and either patching or moving it back to review.
|
🟡 Security issue(s) detected below the blocking threshold. Reviewed everything up to a6c68fb. The following issues were found:
Security Overview
Detected Code Changes
|
2 participants
Add POST /api/stock/reconcile/ endpoint to support mobile barcode-scanner workflows for inventory cycle counting. Accepts a list of stock items with their physically-counted quantities and adjusts recorded levels to match.