Skip to content

fix(discover): Add missing check for DiscoverSavedQueryVisitEndpoint#116187

Merged
nsdeschenes merged 1 commit into
masterfrom
nd/BROWSE-518/fix-saved-queries-check-obj-perms
May 26, 2026
Merged

fix(discover): Add missing check for DiscoverSavedQueryVisitEndpoint#116187
nsdeschenes merged 1 commit into
masterfrom
nd/BROWSE-518/fix-saved-queries-check-obj-perms

Conversation

@nsdeschenes
Copy link
Copy Markdown
Contributor

@nsdeschenes nsdeschenes commented May 26, 2026

This PR adds in a missing check in the DiscoverSavedQueryVisitEndpoint endpoint.

Closes BROWSE-518

@nsdeschenes @claude
fix(discover): Add missing check_object_permissions to saved query vi…
82b165f 
…sit endpoint

DiscoverSavedQueryVisitEndpoint.post skipped check_object_permissions,
allowing any org member with org:read to mutate visits and last_visited
on saved queries scoped to projects they lack access to. The sibling
GET/PUT/DELETE handlers all enforce this check.

Fixes VULN-1691
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@linear-code
Copy link
Copy Markdown

linear-code Bot commented May 26, 2026

BROWSE-518

@github-actions github-actions Bot added the Scope: Backend Automatically applied to PRs that change backend components label May 26, 2026
@nsdeschenes nsdeschenes marked this pull request as ready for review May 26, 2026 14:44
@nsdeschenes nsdeschenes requested review from a team as code owners May 26, 2026 14:44
adrianviquez
adrianviquez approved these changes May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@adrianviquez adrianviquez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mmmm, is this something that is required by other endpoints? I'm wondering how this could be prevented for the future, like adding it as a base permission or smth, though idk if this applies more broadly or case by case basis

@nsdeschenes nsdeschenes merged commit d8c5355 into master May 26, 2026
63 checks passed
@nsdeschenes nsdeschenes deleted the nd/BROWSE-518/fix-saved-queries-check-obj-perms branch May 26, 2026 16:30
@sentry-release-bot sentry-release-bot Bot mentioned this pull request May 27, 2026
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adrianviquez adrianviquez adrianviquez approved these changes

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nsdeschenes @adrianviquez