Skip to content

fix: guard api to builder only #17646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Dakuan wants to merge 4 commits into
base: master
Choose a base branch
from
Open

fix: guard api to builder only #17646

Dakuan wants to merge 4 commits into from
+30 −1

Conversation

@Dakuan
Copy link
Contributor

@Dakuan Dakuan commented Dec 19, 2025
edited by cubic-dev-ai bot
Loading

Summary by cubic

Guarded the row fetch endpoint so only builders can access internal dev-only tables. Non-builders now get a 404 in production instead of seeing dev-only tables. External tables are unaffected.

  • Bug Fixes
    • Check workspace DB for the table; if missing and user isn’t a builder, return 404.
    • Added test: BASIC role receives 404 when fetching a dev-only internal table in prod.

Written for commit f6b5b15. Summary will update on new commits.

@Dakuan
Copy link
Contributor Author

Dakuan commented Dec 19, 2025

@cubic-dev-ai review this pull request

@cubic-dev-ai
Copy link
Contributor

cubic-dev-ai bot commented Dec 19, 2025

@cubic-dev-ai review this pull request

@Dakuan I have started the AI code review. It will take a few minutes to complete.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Dec 19, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

@Dakuan Dakuan marked this pull request as ready for review December 19, 2025 13:58
@Dakuan Dakuan requested a review from a team as a code owner December 19, 2025 13:58
@Dakuan Dakuan requested review from adrinr and removed request for a team December 19, 2025 13:58
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Dec 19, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

adrinr
adrinr reviewed Dec 19, 2025
View reviewed changes
packages/server/src/api/controllers/row/index.ts

export async function fetch(ctx: UserCtx<void, FetchRowsResponse>) {
const { tableId } = utils.getSourceId(ctx)
if (!isExternalTableID(tableId)) {
Copy link
Member

@adrinr adrinr Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be done in the internal.ts implementation, not here.

Copy link
Contributor Author

@Dakuan Dakuan Dec 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm i did consider that, but felt authy concerns should be nearer the API boundary, lets chat monday!

@github-actions github-actions bot added the stale label Dec 26, 2025
@github-actions github-actions bot removed the stale label Jan 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adrinr adrinr adrinr left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/s

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Dakuan @adrinr @melohagan