Conversation
…2712) * fix(api): prevent admin self-escalation to owner role PATCH /v1/people/:id allowed admins to grant themselves the owner role, modify their own member record, and assign roles higher than their own. Add authorizeRoleChange() in people/utils/role-authorization.ts enforcing: - self-modification block (route role changes through transfer-ownership) - owner-role assignment block in both directions - role-hierarchy check (caller must hold every role being assigned) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(auth): scope secret access to dedicated permission Secrets controller previously gated on organization:read, granting auditors (read-only compliance reviewers) plaintext access to credentials and using the same permission for read and write operations. Introduce a 'secret' RBAC resource with create/read/update/delete actions. Grant full CRUD to owner and admin only. Auditor, employee, and contractor no longer have any secret access. Switch the secrets controller to gate on secret:* actions and update frontend route + button gating to match. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(api): bind integration OAuth callback to initiating session The integration OAuth callback relied solely on the random state token to identify the initiating user/org. Add defense-in-depth session validation so the same logged-in user (and active organization) that started the flow must be the one completing it; otherwise the state is consumed, the failure is logged, and the user is redirected with session_mismatch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
|
🎉 This PR is included in version 3.38.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Tightens access control for secrets, role management, and integration OAuth. Adds a dedicated
secretpermission, blocks unsafe role changes, and ties OAuth callbacks to the initiating session.New Features
secretRBAC resource (create,read,update,delete), granted to owner/admin only; auditors and others have no access. Updated API (SecretsController) and UI gating to requiresecret:*, plus route permission for viewing secrets.Bug Fixes
ownerhere, and must hold every role they assign.session_mismatch. GCP auto-detection is no longer triggered immediately after OAuth.Written for commit 5627b12. Summary will update on new commits. Review in cubic