GetCollectedHuntTimelines missing hunt approval check — bypasses access control

[Ryujiyasu]

Summary

In grr/server/grr_response_server/gui/api_call_router_with_approval_checks.py, the GetCollectedHuntTimelines handler (line 1059-1065) is missing a hunt approval check.

Vulnerable Code

def GetCollectedHuntTimelines(
    self, args, context=None
) -> api_timeline.ApiGetCollectedHuntTimelinesHandler:
    # Everybody can export collected hunt timelines.
    return self.delegate.GetCollectedHuntTimelines(args, context=context)

The immediately preceding handler GetHuntFilesArchive (line 1041-1048) correctly requires self.approval_checker.CheckHuntAccess(context, str(args.hunt_id)) before returning hunt data.

Impact

GetCollectedHuntTimelines retrieves full filesystem timeline data (all file paths, sizes, modification times, ownership, and permissions) for every client in the hunt, yet skips the same approval check that GetHuntFilesArchive enforces.

A user who has not received hunt approval can call GET /api/v2/hunts/<hunt_id>/collected-timelines and receive complete filesystem metadata for all client machines in the hunt.

Suggested Fix

Add self.approval_checker.CheckHuntAccess(context, str(args.hunt_id)) to GetCollectedHuntTimelines, consistent with the adjacent GetHuntFilesArchive handler.