Security: createLesson Missing Course Ownership Check (Cross-Creator Lesson Injection)

## Summary

The `createLesson` mutation allows any user with `manageCourse` permission to add lessons to ANY course on the domain, bypassing course ownership verification.

## Details

**File:** `apps/web/graphql/lessons/logic.ts`, lines 150-197

The course is found by courseId + domain but ownership is never verified. Compare with `getLessonOrThrow()` (lines 50-80) which both `updateLesson` and `deleteLesson` call - it checks `checkOwnershipWithoutModel(lesson, ctx)`.

`createLesson` skips this check entirely - classic 1-of-N inconsistency.

## Impact

Any course creator can inject arbitrary lessons into other creators' courses.

## Recommended Fix

Add ownership verification after finding the course, or use `getCourseOrThrow()`.

**Severity:** High (CWE-639)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: createLesson Missing Course Ownership Check (Cross-Creator Lesson Injection) #731

Summary

Details

Impact

Recommended Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security: createLesson Missing Course Ownership Check (Cross-Creator Lesson Injection) #731

Description

Summary

Details

Impact

Recommended Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions