mosaicstack/stack
1
0
Fork 0
Code Issues 13 Pull Requests Actions Packages Projects Releases 11 Wiki Activity

fix(gateway): filter projects by ownership — close data privacy leak (#202)
Some checks failed
ci/woodpecker/push/ci Pipeline failed
Details

Browse Source 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
This commit was merged in pull request #202.
This commit is contained in:
Jason Woltje
2026-03-17 02:35:45 +00:00
committed by jason.woltje
parent 7a52652be6
commit 93645295d5
5 changed files with 132 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
packages/brain/src/projects.ts
View File

@@ -1,4 +1,4 @@
import { eq, type Db, projects } from '@mosaic/db';
import { eq, or, inArray, type Db, projects, teamMembers } from '@mosaic/db';
export type Project = typeof projects.$inferSelect;
export type NewProject = typeof projects.$inferInsert;
@@ -9,6 +9,31 @@ export function createProjectsRepo(db: Db) {
return db.select().from(projects);
},
/**
* Return only the projects visible to a given user:
* projects directly owned by the user (ownerType = 'user', ownerId = userId), OR
* projects owned by a team the user belongs to (ownerType = 'team', teamId IN user's teams)
*/
async findAllForUser(userId: string): Promise<Project[]> {
// Fetch the team IDs the user is a member of.
const memberRows = await db
.select({ teamId: teamMembers.teamId })
.from(teamMembers)
.where(eq(teamMembers.userId, userId));
const teamIds = memberRows.map((r) => r.teamId);
if (teamIds.length === 0) {
// No team memberships — return only directly owned projects.
return db.select().from(projects).where(eq(projects.ownerId, userId));
}
return db
.select()
.from(projects)
.where(or(eq(projects.ownerId, userId), inArray(projects.teamId, teamIds)));
},
async findById(id: string): Promise<Project | undefined> {
const rows = await db.select().from(projects).where(eq(projects.id, id));
return rows[0];