Skip to content

fix(channel): assign session ownership and restrict ownerless access#369

Merged
duguwanglong merged 2 commits into
devfrom
fix/channel-session-visibility
Jun 4, 2026
Merged

fix(channel): assign session ownership and restrict ownerless access#369
duguwanglong merged 2 commits into
devfrom
fix/channel-session-visibility

Conversation

@xiami762
Copy link
Copy Markdown
Contributor

@xiami762 xiami762 commented Jun 4, 2026

Summary

  • Assign local admin ownership when channel inbound creates or rebinds sessions, since channel dispatch runs outside HTTP auth middleware
  • Preserve existing owner on channel session rebind instead of creating another ownerless session
  • Treat ownerless sessions as legacy/unauthenticated state: no longer show the shared badge, and restrict read/write/delete to admins only
  • Use SessionPolicy.is_shared() for the session list shared badge so it reflects explicit sharing only

duguwanglong and others added 2 commits June 3, 2026 19:22
@duguwanglong @cursoragent
fix(session): grant full access to ownerless sessions for all local u…
e7011c9 
…sers

Channel-originated sessions are created outside an HTTP auth context,
leaving owner_user_id and owner_username as None. Previously, any
authenticated Web UI user would fail the is_owner() check and be denied
read/write/delete access entirely.

Introduce _has_no_owner() and a unified is_shared() predicate on
SessionPolicy. Sessions with no owner are now treated as locally shared:
any authenticated user can read, write, and delete them, and the UI
"shared" badge is derived from the same predicate. Existing ownerless
sessions are covered with no data migration required.

Co-authored-by: Cursor <cursoragent@cursor.com>
@xiami762 @cursoragent
fix(channel): assign session ownership and restrict ownerless access
fe9630f 
Channel-created sessions now resolve a local admin owner or preserve an
existing owner on rebind. Ownerless sessions are no longer treated as
shared; only admins can manage legacy ownerless sessions.

Co-authored-by: Cursor <cursoragent@cursor.com>
@xiami762 xiami762 requested review from Jieatgit and duguwanglong June 4, 2026 02:28
@duguwanglong duguwanglong merged commit a4a0dd4 into dev Jun 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@duguwanglong duguwanglong duguwanglong approved these changes

@Jieatgit Jieatgit Awaiting requested review from Jieatgit

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xiami762 @duguwanglong