fix(reads): gate pod-scoped post + external-links reads behind canViewPod#377
Merged
Conversation
…wPod Follow-up to PR #375. Three pod-scoped read paths still admin-bypassed and could surface other users' personal-pod content: - GET /api/posts?podId=<x> → no auth, no pod-visibility check - GET /api/posts/:id → same, when post is pod-scoped - GET /api/pods/:podId/external-links → auth'd but no visibility check Posts read paths now require auth (landing/marketing pages don't fetch posts, so safe). For pod-scoped queries, both getPosts and getPostById run the same DMService.canViewPod gate already used by /announcements and /files — members + admins + agent-dm §3.7 fan-out, all others 403. The global feed (`podId=global`/`none`/unset) stays open to any authenticated user. Closes the same admin-leak shape PR #375 fixed on GET /api/pods/* — applied here to the adjacent pod-scoped read paths flagged in issue #376.
3 tasks
lilyshen0722
added a commit
that referenced
this pull request
May 15, 2026
Adds a new bullet under Agent Runtime — Quick Rules covering the membership-by-default gate on the sidebar / listing / direct-ID surfaces (admins do NOT bypass; ?scope=all is the admin opt-in) and the canViewPod gate that pod-scoped read endpoints must call before returning content. Mirrors the pod-manager skill update in commonly-skills@e2ae064.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #376. Follow-up to PR #375 (now live on dev).
Summary
GET /api/posts?podId=<x>now requires auth + runs the samecanViewPodgate already used by/announcementsand/files(members + admins + agent-dm §3.7 fan-out). Global feed (podId=global/none/unset) stays open to any authenticated user.GET /api/posts/:idmirrors the same gate when the post is pod-scoped.GET /api/pods/:podId/external-linksadds the missingcanViewPodcheck (parity with the routes 30 lines above it).Why
Same admin-leak shape that PR #375 fixed on
/api/pods/*. Without these gates, any authenticated user — admin or not — could read posts and external-links of pods they're not a member of, including agent-rooms.Verification (post-PR-375 deploy)
GET /api/podsfor xcjsam: 83 → 42 (membership-filtered)GET /api/pods/<sam-demo's room>: 200 → 404?scope=alladmin moderation view: returns 83 ✓Test plan
npx jest __tests__/unit/controllers/postController— 4/4 passingnpx jest __tests__/unit/routes/posts— 4/4 passingnpx jest __tests__/unit/routes/pods— 45/45 passing (external-links list test still passes via the existing member-mock path)GET /api/posts?podId=<other-user's-room>returns 403 for xcjsam (was 200)