Skip to content

fix: use user ctx for fetching group members#25810

Closed
sreya wants to merge 2 commits into
mainfrom
workspace-acl-vuln
Closed

fix: use user ctx for fetching group members#25810
sreya wants to merge 2 commits into
mainfrom
workspace-acl-vuln

Conversation

@sreya

@sreya sreya commented May 28, 2026

Copy link
Copy Markdown
Collaborator

No description provided.

@sreya sreya requested a review from Emyrk May 28, 2026 19:28
Emyrk
Emyrk requested changes Jun 3, 2026
View reviewed changes

@Emyrk Emyrk left a comment
edited
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a problem here. If the user who is looking at the ACL does not have permission to read a group, this breaks the entire query as an internal server error.

This is a normal case for non-admins.

The comment reads more dangerous then it is (although it is still leaky).

If you can read a workspace, should you be able to see all users who can access the workspace via some ACL like groups/users?

The answer is probably. But it leaks user info. If we want to deny this behavior via the group relation, we need to handle this error differently. We cannot just return an internal server error and kill the query. Maybe return something like +7 other users in the group? idk

Edit: It will not 500, it will silently drop people you can't read

@sreya

sreya commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator Author

closed this in favor of #26206

@sreya sreya closed this Jun 10, 2026
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 10, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Emyrk Emyrk Emyrk requested changes

Assignees

@sreya sreya

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sreya @Emyrk