Skip to content

v12.116.18

Choose a tag to compare

View all tags
@riderx riderx released this 02 Mar 13:28
· 1739 commits to main since this release
Immutable release. Only release title and notes can be modified.
v12.116.18
d3fb422

🆕 Changelog

Security

  • Enhanced RBAC (Role-Based Access Control) security with multiple privilege escalation fixes
  • Fixed API key privilege escalation vulnerability by enforcing is_assignable flag in role assignment policies
  • Prevented privilege escalation in role_bindings endpoint through proper permission validation
  • Added database trigger to prevent deletion of the last super_admin binding, ensuring organizations always have at least one administrator
  • Implemented FOR UPDATE lock to prevent race conditions when deleting the last super_admin
  • Fixed API key RBAC principal mapping and removed service_role authentication bypass
  • Corrected API key data leak in permission checking functions by making rank calculations auth-type-aware
  • Added support for hashed API keys in direct permission checks
  • Fixed SQL injection vulnerability by using parameterized queries in store app lookup function
  • Ensured all role bindings are automatically removed when organization members are deleted

Fixed

  • Corrected RBAC migration comments for better code clarity
  • Allowed CASCADE deletions in super admin protection trigger for improved test compatibility
  • Fixed organization member deletion tests to work correctly with RBAC enforcement

Removed

  • Removed unused Cloudflare function getStoreAppByIdCF

🔗 Full Changelog: v12.116.17...v12.116.18

Assets 3
Loading