Skip to content

Validate import target permissions#140

Open
ag-linden wants to merge 2 commits into
cropflre:mainfrom
ag-linden:fix/import-notebook-permissions
Open

Validate import target permissions#140
ag-linden wants to merge 2 commits into
cropflre:mainfrom
ag-linden:fix/import-notebook-permissions

Conversation

@ag-linden

Copy link
Copy Markdown

Summary

  • Add a shared import-target permission helper for workspace and notebook write checks.
  • Apply it to note import, AI document imports, URL/Xiaomi imports, and Nowen package target imports.
  • Ensure explicit notebook imports inherit the notebook's workspace instead of trusting caller-supplied workspace state.
  • Add route-level regression coverage for workspace import permissions, explicit notebook workspace inheritance, and AI parse-document write authorization.

Root cause

Several import-style write paths accepted caller-provided workspaceId or notebookId targets without reusing the same write checks and workspace inheritance used by normal note creation.

Why it matters

Bulk import and document import paths should preserve the same notebook/workspace boundaries as regular CRUD paths. This keeps imported notes attached only to targets the requester can write to, and keeps notes.workspaceId aligned with the target notebook.

Validation

  • npx tsx --test tests/import-target-permissions.test.ts passes.
  • git diff --check passes.

Known existing blockers while running broader local checks:

  • npm run build:tsc fails in unrelated files: missing sanitize-html type/module resolution, data-file.ts string/path typing, and task-calendar.ts existing strictness errors.
  • npm run build also fails before this patch's changed code due to unresolved sanitize-html from src/lib/sanitizeHtml.ts.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9fe35b05c2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

const wsWasExplicit = wsRaw !== undefined && wsRaw.trim() !== "";
// 工作区参数:personal/空 → null(写库时也是 NULL),否则保持字符串。
// 显式 notebookId 会在解析后以笔记本所属 workspace 为准。
let targetWs: string | null = normalizeImportWorkspaceId(wsRaw);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Defer personal-scope gate until after notebook resolution

When callers omit workspaceId and provide a workspace notebookId, this new inherited-workspace path is still classified as personal here, so denyIfPersonalFeatureDisabled can return 403 before lines 164-172 resolve the notebook and update targetWs to the notebook's workspace. This blocks users whose personal import is disabled from importing into a workspace notebook they can write to; parse the body/resolve the explicit notebook first, then apply the personal-only gate to the resolved target scope.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant