Skip to content

fix(coderd): reject pinning child chats in patchChat handler#24669

Merged
johnstcn merged 5 commits intomainfrom
fix/reject-pin-child-chat
Apr 23, 2026
Merged

fix(coderd): reject pinning child chats in patchChat handler#24669
johnstcn merged 5 commits intomainfrom
fix/reject-pin-child-chat

Conversation

@johnstcn
Copy link
Copy Markdown
Member

@johnstcn johnstcn commented Apr 23, 2026

The UI already prevents child (delegated/subagent) chats from being pinned, but the PATCH /api/experimental/chats/{chat} endpoint did not enforce this. A direct API call could pin a child chat.

  • Add a 400 Bad Request guard in patchChat when pinOrder > 0 and the chat has a ParentChatID
  • Add TestChatPinOrder/RejectsChildChat test
Decision log
Decision Rationale
400 (not 403 or 422) Matches existing "Cannot pin an archived chat." pattern
Message: "Cannot pin a child chat." Matches "Cannot pin an archived chat." style
Placement: after archived check Groups related pin guards together
Test in TestChatPinOrder Keeps all pin-order tests co-located
Backend-only UI already prevents this

🤖

johnstcn
johnstcn commented Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Member Author

@johnstcn johnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

self-reviewed

Comment thread coderd/exp_chats_test.go Outdated
@johnstcn johnstcn marked this pull request as ready for review April 23, 2026 15:47
@DanielleMaywood
Copy link
Copy Markdown
Contributor

DanielleMaywood commented Apr 23, 2026

thoughts on enforcing at the schema-level to prevent a regression by a possible introduction of another pin-path?

@johnstcn
Copy link
Copy Markdown
Member Author

johnstcn commented Apr 23, 2026

thoughts on enforcing at the schema-level to prevent a regression by a possible introduction of another pin-path?

Yeah but we should roll other related items in as well e.g. the archival stuff. You could also make the argument that child chats belong in their own table.

@johnstcn
Copy link
Copy Markdown
Member Author

johnstcn commented Apr 23, 2026

49e2421 adds a check constraint on both pin order and archived

@johnstcn johnstcn force-pushed the fix/reject-pin-child-chat branch from 49e2421 to 1f05ddb Compare April 23, 2026 17:01
@johnstcn johnstcn merged commit c602a31 into main Apr 23, 2026
26 checks passed
@johnstcn johnstcn deleted the fix/reject-pin-child-chat branch April 23, 2026 17:36
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 23, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@ThomasK33 ThomasK33 ThomasK33 approved these changes

@DanielleMaywood DanielleMaywood DanielleMaywood approved these changes

Assignees

@johnstcn johnstcn

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@johnstcn @DanielleMaywood @ThomasK33