Skip to content

fix: get bookings handler for pbac and fallback roles#1

Open
tomerqodo wants to merge 2 commits into
codex_full_base_fix_get_bookings_handler_for_pbac_and_fallback_roles_pr1from
codex_full_head_fix_get_bookings_handler_for_pbac_and_fallback_roles_pr1
Open

fix: get bookings handler for pbac and fallback roles#1
tomerqodo wants to merge 2 commits into
codex_full_base_fix_get_bookings_handler_for_pbac_and_fallback_roles_pr1from
codex_full_head_fix_get_bookings_handler_for_pbac_and_fallback_roles_pr1

Conversation

@tomerqodo

Copy link
Copy Markdown

Benchmark PR from agentic-review-benchmarks#1

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 544a43bf4f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines 221 to 222
}): Promise<number[]> {
return this.getTeamIdsWithPermissions({ userId, permissions: [permission], fallbackRoles });

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Pass orgId through for single-permission lookups

getTeamIdsWithPermission now accepts orgId, but it never forwards it to getTeamIdsWithPermissions, so org scoping is silently ignored for single-permission calls. Since PermissionCheckService.getTeamIdsWithPermission now passes orgId (e.g., for booking.read), this can return teams from other orgs and expand booking visibility beyond the intended org scope. Consider passing orgId through to keep the permission check correctly scoped.

Useful? React with 👍 / 👎.

Comment on lines 145 to +149
const areUserIdsWithinUserOrgOrTeam = filters.userIds.every((userId) =>
userIdsWhereUserIsAdminOrOwner.includes(userId)
allAccessibleUserIds.includes(userId)
);

const isCurrentUser = filters.userIds.length === 1 && user.id === filters.userIds[0];
const isCurrentUser = filters.userIds.includes(user.id);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Don't allow mixed userIds to bypass permission check

isCurrentUser now uses filters.userIds.includes(user.id), which means a caller can include their own ID alongside other users and bypass the FORBIDDEN guard. The subsequent queries use filters.userIds directly, so bookings for unauthorized users can be returned whenever the list contains the current user plus any disallowed IDs. This should only treat the “current user” exception as valid when the filter contains only the current user (or otherwise enforce that the filter is a subset of accessible users).

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant