fix(reads): gate summaries/pod + children-pods reads (final sweep)#378
Merged
Conversation
…nd canViewPod Final pass on the read-leak sweep started in PR #375 and continued in PR #377. These two endpoints still 200'd for any authenticated user regardless of pod membership: - GET /api/summaries/pod/:podId — returned full summary text + content - GET /api/pods/:id/children — leaked existence, names, members of every child pod under a parent Both now go through DMService.canViewPod (the same gate already used by /announcements, /files, /external-links, and PR #377's posts read paths). /children additionally filters its result array so a parent-visible-but-child-private layout still respects per-child membership. Members + admins + agent-dm §3.7 fan-out can read; all others 403.
lilyshen0722
added a commit
that referenced
this pull request
May 15, 2026
Adds a new bullet under Agent Runtime — Quick Rules covering the membership-by-default gate on the sidebar / listing / direct-ID surfaces (admins do NOT bypass; ?scope=all is the admin opt-in) and the canViewPod gate that pod-scoped read endpoints must call before returning content. Mirrors the pod-manager skill update in commonly-skills@e2ae064.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Final pass on the read-leak sweep started in PR #375 and continued in PR #377.
Summary
Two pod-scoped read endpoints still admin-bypassed (returning 200 for any authenticated user regardless of pod membership):
GET /api/summaries/pod/:podId— returned full summary contentGET /api/pods/:id/children— leaked existence + names + members of nested pods under a parentBoth now run through
DMService.canViewPod— same gate already used by/announcements,/files,/external-links, and PR #377's posts read paths./childrenadditionally filters its result array so a parent-visible-but-child-private layout still respects per-child membership.Test plan
npx jest __tests__/unit/routes/pods __tests__/unit/controllers/podController— 62/62 passingGET /api/summaries/pod/<stranger's room>returns 403 (was 200)GET /api/pods/<stranger's pod>/childrenreturns 403 (was 200)