Actions
Bug #27
closedAPI accepts arbitrary role IDs during admin creation.
Status:
Closed
Priority:
Normal
Assignee:
-
Description
Endpoint
POST https://api.akinderwellness.com:4001/api/admin/add-admin
Description
The role field in the admin creation API does not validate whether the provided role ID exists in the system or is authorized.
Can supply any random UUID-like value in the role field, and the API still accepts the request and creates the user with empty role successfully.
Steps to Reproduce
- Send a post request to the endpoint
https://api.akinderwellness.com:4001/api/admin/add-admin - Use a valid payload but modify the role field to a random or non-existing ID:
{
"first_name": "vivek",
"last_name": "kumar",
"email": "vivekkumarti@enandgate.com",
"phone": "919304982963",
"address": "Ara",
"city": "Ara",
"state": "Bihar",
"zip": "802301",
"notification_all_activies": true,
"notification_new_message": true,
"notification_new_referral": true,
"notification_new_request": true,
"notification_password_change": true,
"notification_weekly_report": true,
"role": "69942bccd08e5e1590a21dc6", // arbitrary ID
"secondary_password": "password",
"password": "Shared1#"
}
- Observe the response.
Expected Result
API should:
- Validate that the role exists in the database
- Reject invalid or non-existent role IDs with an error
Actual Result
API accepts any arbitrary role ID
User without role is created successfully even with invalid role
Files
| BUG AKW0016.png (356 KB) BUG AKW0016.png | The users are created without role assignment | ||
| Screenshot 2026-03-20 at 11.55.43 AM.png (209 KB) Screenshot 2026-03-20 at 11.55.43 AM.png |
Actions