## GitHub Security Fix: Removes Broad Coach Permissions That Allowed Any Coach to Create Players on Any Team
A critical security vulnerability, designated SEC-48, has been patched in a codebase after a review confirmed the completion of a necessary data backfill. The flaw resided in a legacy 'safety-net' fallback within player creation rules, which granted any coach the system-wide permission to create players on any team, regardless of their actual affiliation. This over-permissive rule, `isCoach()`, has now been removed, fundamentally narrowing the access scope.

The fix, documented in a GitHub commit titled 'fix(sec-55)', eliminates two legacy components. First, it removes the broad `isCoach()` check from the Player `allow create` rule. Second, it updates the `isCoachOfTeam()` function to rely solely on a modern `coachIds` array for authorization, dropping a legacy scalar `coachId` check. The security remediation follows the confirmed completion of a `coachIds` backfill across both staging and production environments as of April 12, 2026, which enabled the removal of the outdated fallback logic without breaking legitimate functions.

The change significantly hardens the application's authorization layer. The new logic strictly scopes a coach's player-creation privileges to teams where their user ID is explicitly listed in the `coachIds` array. A companion test plan validates that a coach can still create players for their own team but is definitively blocked from creating players for a different team. The update has passed a formal security-engineer review, marking a resolved exposure that previously risked unauthorized data creation and team boundary violations.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: Security Vulnerability, Code Access Control, Authorization Flaw, GitHub, Patch
- **Credibility**: unverified
- **Published**: 2026-04-12 11:22:33
- **ID**: 60577
- **URL**: https://whisperx.ai/en/intel/60577