tech/tanabata
1
1
Fork 0
Code Pull Requests Actions Releases Activity

fix(backend): require owner/admin to read or modify object ACLs

Browse Source 
GET/PUT /acl/:object_type/:object_id performed no authorization check, so
any authenticated user could read the permission list of, or grant
themselves view/edit on, any file/tag/category/pool. ACLService now
resolves the object's owner and rejects callers who are neither the owner
nor an admin. SetPermissions also wraps its delete+insert replace in a
single transaction so a partial failure can no longer wipe permissions.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Masahiko AMANO
2026-06-10 13:59:10 +03:00
parent eb2eb00d96
commit a6680b1c05
4 changed files with 109 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/internal/integration/server_test.go
+1 -1
View File
@@ -125,7 +125,7 @@ func setupSuite(t *testing.T) *harness {
// --- Services ------------------------------------------------------------
authSvc := service.NewAuthService(userRepo, sessionRepo, "test-secret", 15*time.Minute, 720*time.Hour)
aclSvc := service.NewACLService(aclRepo)
aclSvc := service.NewACLService(aclRepo, fileRepo, tagRepo, categoryRepo, poolRepo, transactor)
auditSvc := service.NewAuditService(auditRepo)
tagSvc := service.NewTagService(tagRepo, tagRuleRepo, aclSvc, auditSvc, transactor)
categorySvc := service.NewCategoryService(categoryRepo, tagRepo, aclSvc, auditSvc)