tanabata

tech/tanabata

Fork 0

Commit Graph

Author	SHA1	Message	Date
H1K0	a6680b1c05	fix(backend): require owner/admin to read or modify object ACLs GET/PUT /acl/:object_type/:object_id performed no authorization check, so any authenticated user could read the permission list of, or grant themselves view/edit on, any file/tag/category/pool. ACLService now resolves the object's owner and rejects callers who are neither the owner nor an admin. SetPermissions also wraps its delete+insert replace in a single transaction so a partial failure can no longer wipe permissions. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-10 13:59:10 +03:00
H1K0	559f891d8d	feat(backend): implement ACL repo and service Add postgres ACLRepo (List/Get/Set) and ACLService with CanView/CanEdit checks (admin bypass, public flag, creator shortcut, explicit grants) and GetPermissions/SetPermissions for the /acl endpoints. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-04 01:13:21 +03:00

Author

SHA1

Message

Date

H1K0

a6680b1c05

fix(backend): require owner/admin to read or modify object ACLs

GET/PUT /acl/:object_type/:object_id performed no authorization check, so
any authenticated user could read the permission list of, or grant
themselves view/edit on, any file/tag/category/pool. ACLService now
resolves the object's owner and rejects callers who are neither the owner
nor an admin. SetPermissions also wraps its delete+insert replace in a
single transaction so a partial failure can no longer wipe permissions.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-10 13:59:10 +03:00

H1K0

559f891d8d

feat(backend): implement ACL repo and service

Add postgres ACLRepo (List/Get/Set) and ACLService with CanView/CanEdit
checks (admin bypass, public flag, creator shortcut, explicit grants)
and GetPermissions/SetPermissions for the /acl endpoints.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-04 01:13:21 +03:00

2 Commits