fix: wire permission checks into message/channel handlers
- Add CheckChannelPermission to permissions.Checker (layers channel overrides on top of role permissions) - Refactor requireChannelAccess to accept required permission bitmap - Message Create checks SEND_MESSAGES; List/Search check VIEW_CHANNEL - BulkDelete uses Checker.CheckPermission for MANAGE_MESSAGES - Channel handler List filters out channels user cannot view - Remove dead checkPermission method from message handler - Fix frontend avatar upload: parse response URL, call updateProfile
This commit is contained in:
@@ -10,11 +10,9 @@ This document contains a comprehensive audit of the dumpsterChat repository, hig
|
||||
* **Location:** [internal/db/db.go](file:///opt/dumpsterChat/internal/db/db.go#L189), [internal/webhook/handlers.go](file:///opt/dumpsterChat/internal/webhook/handlers.go#L143-L151)
|
||||
* **Fix:** Plaintext token column has been dropped via DDL migration (`ALTER TABLE webhooks DROP COLUMN IF EXISTS token;`), and webhook creation no longer stores plaintext tokens in the database.
|
||||
|
||||
### 🚨 Message and Channel Access Bypasses Role Permissions & Overrides
|
||||
* **Location:** [internal/message/handlers.go](file:///opt/dumpsterChat/internal/message/handlers.go#L663-L686), [internal/channel/handlers.go](file:///opt/dumpsterChat/internal/channel/handlers.go#L165-L187)
|
||||
* **Description:** Access to channel reading, message listing, and message posting is checked solely via server membership (`members` table). Role permissions (like `VIEW_CHANNEL` or `SEND_MESSAGES`) and channel-level overrides (`channel_overrides` table) are completely ignored.
|
||||
* **Impact:** Any user who is a member of a server can read, search, and post messages in *any* channel on that server (including private, forum, calendar, or documentation channels), completely bypassing the permissions configuration system.
|
||||
* **Remediation:** Update `requireChannelAccess` in `message.Handler` to use `permissions.Checker` to verify channel permission overrides and server roles.
|
||||
### 🚨 Message and Channel Access Bypasses Role Permissions & Overrides ✅ RESOLVED
|
||||
* **Location:** [internal/message/handlers.go](file:///opt/dumpsterChat/internal/message/handlers.go), [internal/channel/handlers.go](file:///opt/dumpsterChat/internal/channel/handlers.go)
|
||||
* **Fix:** Added `CheckChannelPermission` method to `permissions.Checker` that layers channel overrides on top of role permissions. Updated `requireChannelAccess` to accept a required permission bitmap — message Create checks `SEND_MESSAGES`, List/Search check `VIEW_CHANNEL`, BulkDelete uses `CheckPermission` for `MANAGE_MESSAGES`. Channel handler List now filters out channels the user cannot view.
|
||||
|
||||
### ⚠️ WebAuthn Session Cookie SameSite Laxity ✅ RESOLVED
|
||||
* **Location:** [internal/auth/cookie.go](file:///opt/dumpsterChat/internal/auth/cookie.go#L17)
|
||||
@@ -28,10 +26,9 @@ This document contains a comprehensive audit of the dumpsterChat repository, hig
|
||||
|
||||
## 2. Functional Bugs & Defects
|
||||
|
||||
### 🐛 User Avatar Cannot Be Changed (Backend fixed, Frontend still broken) ⚠️ PARTIALLY RESOLVED
|
||||
* **Location:** [internal/auth/handlers.go](file:///opt/dumpsterChat/internal/auth/handlers.go#L210-L220), [web/src/components/UserSettings.tsx](file:///opt/dumpsterChat/web/src/components/UserSettings.tsx#L73-L84)
|
||||
* **Status:** The backend has been successfully updated to accept `AvatarURL` in the PATCH request. However, the frontend avatar upload code is still broken: it uploads the file to `/api/v1/upload` but does not parse the response URL, nor does it call the profile update endpoint to save the returned URL.
|
||||
* **Remediation:** Update `handleAvatarUpload` in `UserSettings.tsx` to read the returned JSON URL and send a PATCH request via `updateProfile` containing the `avatar_url`.
|
||||
### 🐛 User Avatar Cannot Be Changed ✅ RESOLVED
|
||||
* **Location:** [internal/auth/handlers.go](file:///opt/dumpsterChat/internal/auth/handlers.go#L210-L220), [web/src/components/UserSettings.tsx](file:///opt/dumpsterChat/web/src/components/UserSettings.tsx)
|
||||
* **Fix:** Backend accepts `avatar_url` in PATCH profile. Frontend upload now parses the returned URL and calls `updateProfile` to save it. `UpdateProfilePayload` type also gained the `avatar_url` field.
|
||||
|
||||
### 🐛 TUI Client Auth Failure Fallback Bug ✅ RESOLVED
|
||||
* **Location:** [cmd/tui/auth.go](file:///opt/dumpsterChat/cmd/tui/auth.go#L21-L36)
|
||||
@@ -45,9 +42,9 @@ This document contains a comprehensive audit of the dumpsterChat repository, hig
|
||||
* **Location:** [internal/permissions/overrides.go](file:///opt/dumpsterChat/internal/permissions/overrides.go)
|
||||
* **Fix:** Unused function removed from the package.
|
||||
|
||||
### 🗑️ Duplicated Permission Verification
|
||||
* **Location:** [internal/message/handlers.go](file:///opt/dumpsterChat/internal/message/handlers.go#L129-L158)
|
||||
* **Description:** The `checkPermission` method in `message.Handler` duplicates role checking queries instead of using the `permissions.Checker` struct.
|
||||
### 🗑️ Duplicated Permission Verification ✅ RESOLVED
|
||||
* **Location:** [internal/message/handlers.go](file:///opt/dumpsterChat/internal/message/handlers.go)
|
||||
* **Fix:** Removed the dead `checkPermission` method. Callers now use the `Checker` from the `permissions` package and its new `CheckChannelPermission` method.
|
||||
|
||||
### 🗑️ Obsolete Handler Type ✅ RESOLVED
|
||||
* **Location:** [internal/message/handlers.go](file:///opt/dumpsterChat/internal/message/handlers.go)
|
||||
|
||||
Reference in New Issue
Block a user