fix(backend): enforce private-by-default visibility and pool-op ACL
Listings returned every row regardless of ownership: GET /files, /tags, /pools and /categories exposed other users' private items (while the single-item GET correctly returned 403), and the pool file operations (GET /pools/:id, /pools/:id/files, add/remove/reorder) skipped ACL entirely, so any authenticated user could read and rewrite anyone's private pool. - List queries now filter to rows the caller may see (public, owned, or granted can_view) via a shared SQL condition; admins bypass. The viewer identity is taken from the request context by the service and passed to the repository in the list params. - Tag/Category/Pool single-item Get now enforce CanView (File already did). - Pool Get/ListFiles require pool view; AddFiles/RemoveFiles/Reorder require pool edit. Adds regression tests for private-by-default listing (hidden / public / granted / admin) and for pool operations rejecting a non-owner. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -116,6 +116,12 @@ func (r *CategoryRepo) List(ctx context.Context, params port.OffsetParams) (*dom
|
||||
args = append(args, "%"+params.Search+"%")
|
||||
n++
|
||||
}
|
||||
// Restrict to categories the viewer may see (private-by-default), unless admin.
|
||||
if !params.ViewerIsAdmin {
|
||||
var aclCond string
|
||||
aclCond, n, args = aclVisibilityCond("c", objTypeCategory, params.ViewerID, n, args)
|
||||
conditions = append(conditions, aclCond)
|
||||
}
|
||||
|
||||
where := ""
|
||||
if len(conditions) > 0 {
|
||||
|
||||
@@ -607,6 +607,13 @@ func (r *FileRepo) List(ctx context.Context, params domain.FileListParams) (*dom
|
||||
}
|
||||
}
|
||||
|
||||
// Restrict to files the viewer may see (private-by-default), unless admin.
|
||||
if !params.ViewerIsAdmin {
|
||||
var aclCond string
|
||||
aclCond, n, args = aclVisibilityCond("f", objTypeFile, params.ViewerID, n, args)
|
||||
conds = append(conds, aclCond)
|
||||
}
|
||||
|
||||
var orderBy string
|
||||
if hasCursor {
|
||||
ksWhere, ksOrder, nextN, ksArgs := buildKeysetCond(
|
||||
|
||||
@@ -183,6 +183,12 @@ func (r *PoolRepo) List(ctx context.Context, params port.OffsetParams) (*domain.
|
||||
args = append(args, "%"+params.Search+"%")
|
||||
n++
|
||||
}
|
||||
// Restrict to pools the viewer may see (private-by-default), unless admin.
|
||||
if !params.ViewerIsAdmin {
|
||||
var aclCond string
|
||||
aclCond, n, args = aclVisibilityCond("p", objTypePool, params.ViewerID, n, args)
|
||||
conditions = append(conditions, aclCond)
|
||||
}
|
||||
|
||||
where := ""
|
||||
if len(conditions) > 0 {
|
||||
|
||||
@@ -65,3 +65,29 @@ func connOrTx(ctx context.Context, pool *pgxpool.Pool) db.Querier {
|
||||
}
|
||||
return pool
|
||||
}
|
||||
|
||||
// Object type IDs as seeded in core.object_types (007_seed_data.sql).
|
||||
const (
|
||||
objTypeFile int16 = 1
|
||||
objTypeTag int16 = 2
|
||||
objTypeCategory int16 = 3
|
||||
objTypePool int16 = 4
|
||||
)
|
||||
|
||||
// aclVisibilityCond returns a SQL boolean fragment that is true when the viewer
|
||||
// may see the row at <alias>.id of the given object type under the
|
||||
// private-by-default model: the row is public, the viewer created it, or the
|
||||
// viewer holds an explicit can_view grant. objectTypeID is a trusted constant
|
||||
// and is inlined; viewerID is bound as $n (referenced twice). Returns the
|
||||
// fragment, the next free parameter index, and the extended args.
|
||||
//
|
||||
// Callers skip this entirely for admins (who bypass ACL).
|
||||
func aclVisibilityCond(alias string, objectTypeID int16, viewerID int16, n int, args []any) (string, int, []any) {
|
||||
cond := fmt.Sprintf(
|
||||
"(%[1]s.is_public OR %[1]s.creator_id = $%[2]d OR EXISTS ("+
|
||||
"SELECT 1 FROM acl.permissions p "+
|
||||
"WHERE p.object_type_id = %[3]d AND p.object_id = %[1]s.id "+
|
||||
"AND p.user_id = $%[2]d AND p.can_view))",
|
||||
alias, n, objectTypeID)
|
||||
return cond, n + 1, append(args, viewerID)
|
||||
}
|
||||
|
||||
@@ -169,6 +169,12 @@ func (r *TagRepo) listTags(ctx context.Context, params port.OffsetParams, catego
|
||||
args = append(args, *categoryID)
|
||||
n++
|
||||
}
|
||||
// Restrict to tags the viewer may see (private-by-default), unless admin.
|
||||
if !params.ViewerIsAdmin {
|
||||
var aclCond string
|
||||
aclCond, n, args = aclVisibilityCond("t", objTypeTag, params.ViewerID, n, args)
|
||||
conditions = append(conditions, aclCond)
|
||||
}
|
||||
|
||||
where := ""
|
||||
if len(conditions) > 0 {
|
||||
|
||||
Reference in New Issue
Block a user