fix(M2-005,M2-006): enforce user ownership at repo level for conversations and agents
ConversationsRepo: add userId parameter to findById, update, remove, findMessages, and addMessage so every query filters by conversations.userId in the WHERE clause. This prevents cross-user data access even if the controller layer were bypassed. AgentsRepo: add optional ownerId parameter to update (enforced for user-owned agents, omitted for admin system-agent path) and required ownerId to remove so the DELETE WHERE clause always scopes to the requesting user's agents. Controller call sites updated to pass userId/ownerId to the repo methods. The resource-ownership unit test updated to reflect that findById now returns undefined (not a foreign-user object) when ownership is checked at the DB layer. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,4 +1,4 @@
|
||||
import { eq, or, type Db, agents } from '@mosaic/db';
|
||||
import { eq, and, or, type Db, agents } from '@mosaic/db';
|
||||
|
||||
export type Agent = typeof agents.$inferSelect;
|
||||
export type NewAgent = typeof agents.$inferInsert;
|
||||
@@ -27,6 +27,10 @@ export function createAgentsRepo(db: Db) {
|
||||
return db.select().from(agents).where(eq(agents.isSystem, true));
|
||||
},
|
||||
|
||||
/**
|
||||
* Return only agents the user may access: their own agents plus all system agents.
|
||||
* Never returns other users' private agents.
|
||||
*/
|
||||
async findAccessible(ownerId: string): Promise<Agent[]> {
|
||||
return db
|
||||
.select()
|
||||
@@ -39,17 +43,44 @@ export function createAgentsRepo(db: Db) {
|
||||
return rows[0]!;
|
||||
},
|
||||
|
||||
async update(id: string, data: Partial<NewAgent>): Promise<Agent | undefined> {
|
||||
/**
|
||||
* Update an agent.
|
||||
*
|
||||
* For user-owned agents pass `ownerId` — the WHERE clause will enforce ownership so that
|
||||
* one user cannot overwrite another user's agent. For system agents the caller must
|
||||
* omit `ownerId` (admin-only path) and the WHERE clause only matches on `id`.
|
||||
*
|
||||
* Returns undefined when no row was matched (not found or ownership mismatch).
|
||||
*/
|
||||
async update(
|
||||
id: string,
|
||||
data: Partial<NewAgent>,
|
||||
ownerId?: string,
|
||||
): Promise<Agent | undefined> {
|
||||
const condition =
|
||||
ownerId !== undefined
|
||||
? and(eq(agents.id, id), eq(agents.ownerId, ownerId))
|
||||
: eq(agents.id, id);
|
||||
|
||||
const rows = await db
|
||||
.update(agents)
|
||||
.set({ ...data, updatedAt: new Date() })
|
||||
.where(eq(agents.id, id))
|
||||
.where(condition)
|
||||
.returning();
|
||||
return rows[0];
|
||||
},
|
||||
|
||||
async remove(id: string): Promise<boolean> {
|
||||
const rows = await db.delete(agents).where(eq(agents.id, id)).returning();
|
||||
/**
|
||||
* Delete a user-owned agent, scoped to the given owner.
|
||||
* Will not match system agents even if the id is correct, because system agents have
|
||||
* `ownerId = null` which cannot equal a real user id.
|
||||
* Returns false when no row was matched (not found, wrong owner, or system agent).
|
||||
*/
|
||||
async remove(id: string, ownerId: string): Promise<boolean> {
|
||||
const rows = await db
|
||||
.delete(agents)
|
||||
.where(and(eq(agents.id, id), eq(agents.ownerId, ownerId)))
|
||||
.returning();
|
||||
return rows.length > 0;
|
||||
},
|
||||
};
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
import { eq, asc, desc, type Db, conversations, messages } from '@mosaic/db';
|
||||
import { eq, and, asc, desc, type Db, conversations, messages } from '@mosaic/db';
|
||||
|
||||
/** Maximum number of conversations returned per list query. */
|
||||
const MAX_CONVERSATIONS = 200;
|
||||
@@ -21,8 +21,15 @@ export function createConversationsRepo(db: Db) {
|
||||
.limit(MAX_CONVERSATIONS);
|
||||
},
|
||||
|
||||
async findById(id: string): Promise<Conversation | undefined> {
|
||||
const rows = await db.select().from(conversations).where(eq(conversations.id, id));
|
||||
/**
|
||||
* Find a conversation by ID, scoped to the given user.
|
||||
* Returns undefined if the conversation does not exist or belongs to a different user.
|
||||
*/
|
||||
async findById(id: string, userId: string): Promise<Conversation | undefined> {
|
||||
const rows = await db
|
||||
.select()
|
||||
.from(conversations)
|
||||
.where(and(eq(conversations.id, id), eq(conversations.userId, userId)));
|
||||
return rows[0];
|
||||
},
|
||||
|
||||
@@ -31,21 +38,47 @@ export function createConversationsRepo(db: Db) {
|
||||
return rows[0]!;
|
||||
},
|
||||
|
||||
async update(id: string, data: Partial<NewConversation>): Promise<Conversation | undefined> {
|
||||
/**
|
||||
* Update a conversation, scoped to the given user.
|
||||
* Returns undefined if the conversation does not exist or belongs to a different user.
|
||||
*/
|
||||
async update(
|
||||
id: string,
|
||||
userId: string,
|
||||
data: Partial<NewConversation>,
|
||||
): Promise<Conversation | undefined> {
|
||||
const rows = await db
|
||||
.update(conversations)
|
||||
.set({ ...data, updatedAt: new Date() })
|
||||
.where(eq(conversations.id, id))
|
||||
.where(and(eq(conversations.id, id), eq(conversations.userId, userId)))
|
||||
.returning();
|
||||
return rows[0];
|
||||
},
|
||||
|
||||
async remove(id: string): Promise<boolean> {
|
||||
const rows = await db.delete(conversations).where(eq(conversations.id, id)).returning();
|
||||
/**
|
||||
* Delete a conversation, scoped to the given user.
|
||||
* Returns false if the conversation does not exist or belongs to a different user.
|
||||
*/
|
||||
async remove(id: string, userId: string): Promise<boolean> {
|
||||
const rows = await db
|
||||
.delete(conversations)
|
||||
.where(and(eq(conversations.id, id), eq(conversations.userId, userId)))
|
||||
.returning();
|
||||
return rows.length > 0;
|
||||
},
|
||||
|
||||
async findMessages(conversationId: string): Promise<Message[]> {
|
||||
/**
|
||||
* Find messages for a conversation, scoped to the given user.
|
||||
* Returns an empty array if the conversation does not exist or belongs to a different user.
|
||||
*/
|
||||
async findMessages(conversationId: string, userId: string): Promise<Message[]> {
|
||||
// Verify ownership of the parent conversation before returning messages.
|
||||
const conv = await db
|
||||
.select()
|
||||
.from(conversations)
|
||||
.where(and(eq(conversations.id, conversationId), eq(conversations.userId, userId)));
|
||||
if (conv.length === 0) return [];
|
||||
|
||||
return db
|
||||
.select()
|
||||
.from(messages)
|
||||
@@ -54,7 +87,19 @@ export function createConversationsRepo(db: Db) {
|
||||
.limit(MAX_MESSAGES);
|
||||
},
|
||||
|
||||
async addMessage(data: NewMessage): Promise<Message> {
|
||||
/**
|
||||
* Add a message to a conversation, scoped to the given user.
|
||||
* Verifies the parent conversation belongs to the user before inserting.
|
||||
* Returns undefined if the conversation does not exist or belongs to a different user.
|
||||
*/
|
||||
async addMessage(data: NewMessage, userId: string): Promise<Message | undefined> {
|
||||
// Verify ownership of the parent conversation before inserting the message.
|
||||
const conv = await db
|
||||
.select()
|
||||
.from(conversations)
|
||||
.where(and(eq(conversations.id, data.conversationId), eq(conversations.userId, userId)));
|
||||
if (conv.length === 0) return undefined;
|
||||
|
||||
const rows = await db.insert(messages).values(data).returning();
|
||||
return rows[0]!;
|
||||
},
|
||||
|
||||
Reference in New Issue
Block a user