chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: restrict AI session search to current user only

Browse Source 
Search endpoint used OR(user_id, account_id), exposing other users'
problem_summary and problem_domain within the same account. Sessions
are user-scoped only — cross-user access requires explicit escalation
or sharing. List and search endpoints now behave consistently.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
chihlasm
2026-04-09 03:54:06 +00:00
parent 68eabf27f4
commit d89fb0cec5
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
backend/app/api/endpoints/ai_sessions.py
View File

@@ -762,13 +762,13 @@ async def search_sessions(
limit: int = Query(5, ge=1, le=20), limit: int = Query(5, ge=1, le=20),
): ):
"""Search AI sessions by content using full-text search. Used by Command Palette.""" """Search AI sessions by content using full-text search. Used by Command Palette."""
# Sessions are user-scoped. The list endpoint uses user_id only;
# search must be consistent. Cross-user access requires explicit
# escalation or session sharing — not ambient account membership.
result = await db.execute( result = await db.execute(
select(AISession) select(AISession)
.where( .where(
or_( AISession.user_id == current_user.id,
AISession.user_id == current_user.id,
AISession.account_id == current_user.account_id,
),
text("ai_sessions.search_vector @@ plainto_tsquery('english', :q)"), text("ai_sessions.search_vector @@ plainto_tsquery('english', :q)"),
) )
.params(q=q) .params(q=q)