zhi/HarborForge.Backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
218 Commits 11 Branches 0 Tags
6fd37ab46db47297ddb43f3009f2666bb8b9e88b
Commit Graph

7 Commits

Author SHA1 Message Date
hzhang
51fb8ca073 fix(security): close critical auth/SSRF/RBAC holes 
Verified locally end-to-end (before: exploitable, after: blocked).

- config: refuse to start on weak/default/short SECRET_KEY (was
  trivially forgeable JWT -> full admin)
- deps: add reusable require_admin dependency (JWT or API key)
- api-keys: require admin to mint/list/revoke; mask key on list
  (was unauthenticated -> instant admin API key)
- webhooks: whole router now admin-only (was fully unauthenticated
  CRUD + readable logs)
- webhook delivery: validate URL scheme + reject hosts resolving to
  private/loopback/link-local/reserved IPs; disable redirects
  (was a readable SSRF primitive)
- rbac: implement a real project-role hierarchy in check_project_role
  (was a no-op: any member, even guest, passed admin/mgr gates)
- misc: auth on delete_milestone (+ensure_can_edit_milestone),
  worklog create/delete (force caller user_id, owner-only delete),
  /activity and /export/tasks (were unauthenticated data exposure)
- tasks: auth + ensure_can_edit_task on assign_task and batch_assign

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-16 16:53:14 +01:00
zhi
5ccd955a66 Fix: use role name 'admin' instead of 'superadmin' for global admin check 2026-03-22 11:17:51 +00:00
zhi
9e14df921e feat: add modal-edit permissions for projects milestones and tasks 2026-03-16 18:13:54 +00:00
river
61e3349ca4 feat: add role/permission system with tests support 
- Add Role model with 17 default permissions
- Add init_wizard to create admin/guest roles on first startup
- Protect admin role from modification/deletion via API
- Fix MilestoneCreate schema (project_id optional)
- Fix delete role to clean up role_permissions first
- Add check_project_role RBAC function
 2026-03-15 12:25:59 +00:00
Zhi
c695ef903f fix: rbac ProjectMember reference, add repo field to Project 2026-03-12 12:04:51 +00:00
Zhi
74177915df feat: add configurable role/permission system 2026-03-12 11:41:55 +00:00
Zhi
6d58ee779c feat: RBAC module + project endpoints protected (admin/mgr roles) 2026-02-24 04:16:32 +00:00