Files
dumpsterChat/ISSUES.md
T
hobokenchicken 215f931311 fix: wire permission checks into message/channel handlers
- Add CheckChannelPermission to permissions.Checker (layers channel overrides on top of role permissions)
- Refactor requireChannelAccess to accept required permission bitmap
- Message Create checks SEND_MESSAGES; List/Search check VIEW_CHANNEL
- BulkDelete uses Checker.CheckPermission for MANAGE_MESSAGES
- Channel handler List filters out channels user cannot view
- Remove dead checkPermission method from message handler
- Fix frontend avatar upload: parse response URL, call updateProfile
2026-06-30 13:47:08 -04:00

3.9 KiB

dumpsterChat Codebase Audit Report

This document contains a comprehensive audit of the dumpsterChat repository, highlighting security vulnerabilities, functional bugs, dead code, and maintenance issues.


1. Security Vulnerabilities & Bypasses

🚨 Plaintext Webhook Tokens Stored in Database RESOLVED

  • Location: internal/db/db.go, internal/webhook/handlers.go
  • Fix: Plaintext token column has been dropped via DDL migration (ALTER TABLE webhooks DROP COLUMN IF EXISTS token;), and webhook creation no longer stores plaintext tokens in the database.

🚨 Message and Channel Access Bypasses Role Permissions & Overrides RESOLVED

  • Location: internal/message/handlers.go, internal/channel/handlers.go
  • Fix: Added CheckChannelPermission method to permissions.Checker that layers channel overrides on top of role permissions. Updated requireChannelAccess to accept a required permission bitmap — message Create checks SEND_MESSAGES, List/Search check VIEW_CHANNEL, BulkDelete uses CheckPermission for MANAGE_MESSAGES. Channel handler List now filters out channels the user cannot view.
  • Location: internal/auth/cookie.go
  • Fix: Default secure is now set to true unless COOKIE_SECURE=false is explicitly set in environment variables.

2. Functional Bugs & Defects

🐛 User Avatar Cannot Be Changed RESOLVED

🐛 TUI Client Auth Failure Fallback Bug RESOLVED

  • Location: cmd/tui/auth.go
  • Fix: Correctly handles password input via fallback pwLine scanner without overwriting the user's email address.

3. Dead Code

🗑️ Unused ComputeChannelPermissions RESOLVED

🗑️ Duplicated Permission Verification RESOLVED

  • Location: internal/message/handlers.go
  • Fix: Removed the dead checkPermission method. Callers now use the Checker from the permissions package and its new CheckChannelPermission method.

🗑️ Obsolete Handler Type RESOLVED


4. Maintenance & Infrastructure

🧪 No Tests

  • Description: There are zero unit or integration tests in the Go backend or React frontend (go test ./... runs but finds no test files).
  • Remediation: Introduce tests for critical components such as permissions checking, message parsing, and session stores.

🔑 Hardcoded Valkey Password Placeholder RESOLVED