fix(workout-session): require auth + ownership to delete a workout session#239
Open
evan188199-tech wants to merge 1 commit into
Open
Conversation
…ssion deleteWorkoutSessionAction used the unauthenticated actionClient and fetched the session's userId only to discard it, deleting by id alone — so any logged-in user could delete any other user's session. Switch to authenticatedActionClient (which injects ctx.user via serverAuth) and reject when session.userId !== ctx.user.id, returning the same 'not found' for missing and non-owned rows to avoid existence disclosure. Fixes Snouzy#238
|
Someone is attempting to deploy a commit to the Workoutcool Team Team on Vercel. A member of the Team first needs to authorize it. |
Author
|
此 PR 由 GLM-5.2 修复。 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
deleteWorkoutSessionActionlet any logged-in user delete any other user's workout session. It was built on the unauthenticatedactionClient, fetched the session'suserIdbut never compared it to the caller, and deleted byidalone.Root cause
actionClientperforms no auth (vsauthenticatedActionClient, which injectsctx.userviaserverAuth()). The action had no idea who the caller was, so the selecteduserIdcould never be checked.Fix
Switch to
authenticatedActionClientand require ownership:The same "not found" is returned for missing and non-owned rows to avoid disclosing which session ids exist.
Fixes #238.