chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
764 Commits 13 Branches 1 Tag
0a9b16a28f78bb244402bcf5f4bfef6892d2649e
Commit Graph

4 Commits

Author SHA1 Message Date
chihlasm
61402f62a2 fix: address Task 6 quality review — rename helper, restore 403 for intra-account, add docs test 
- Rename _get_tree_or_403 → _get_tree_or_404 in maintenance_schedules.py
  (function now raises 404, old name was misleading)
- Restore HTTP 403 for intra-account permission failures in update_tree:
  same-account users who can see a tree but can't edit it got 404 (wrong);
  only cross-account lookups should return 404 to avoid confirming existence
- Apply same 403/404 distinction to update_tree_visibility
- Add test: get_documentation must return 404 for cross-user session access
- Add comment documenting owner-only design for documentation endpoints

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-09 04:19:28 +00:00
chihlasm
ff53ea7da9 fix: return 404 (not 403) for get_documentation cross-user access; add missing Task 6 tests 
get_documentation was revealing session existence via 403. Added pre-check
query filtering by session_id AND user_id before calling the engine.

Also add cross-tenant isolation tests for steps, tags, step_categories,
and maintenance_schedules endpoints fixed in Task 6 (TDD was skipped).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-09 04:12:59 +00:00
chihlasm
8a4c870cd9 test: add cross-tenant isolation tests for Task 6 UUID audit 
Tests cover:
- Tree GET/PUT returns 404 for cross-account access
- Session GET returns 404 for cross-user access
- AI session GET returns 404 for cross-user access
- AI session retry-psa-push requires ownership
- Upload URL returns 404 for cross-account access
- Share revoke returns 404 for cross-user access

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-09 04:02:14 +00:00
chihlasm
057c0abe16 fix: scope analytics/flows/{tree_id} to requesting account 
Any authenticated user could read flow analytics (session counts,
completion rates, CSAT) for any tree UUID. Now returns 404 if the
tree doesn't belong to the requesting account.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-09 03:53:57 +00:00