ob/sprint
1
0
Fork 0
mirror of https://github.com/hex248/sprint.git synced 2026-02-08 10:33:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

patched security holes

Browse Source
This commit is contained in:
Oliver Bryan
2026-01-21 22:44:57 +00:00
parent db0be8330e
commit be57b4d6df
11 changed files with 129 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
packages/backend/src/routes/issue/create.ts
View File

@@ -1,6 +1,6 @@
import { IssueCreateRequestSchema } from "@sprint/shared";
import type { AuthedRequest } from "../../auth/middleware";
import { createIssue, getProjectByID } from "../../db/queries";
import { createIssue, getOrganisationMemberRole, getProjectByID } from "../../db/queries";
import { errorResponse, parseJsonBody } from "../../validation";
export default async function issueCreate(req: AuthedRequest) {
@@ -14,6 +14,18 @@ export default async function issueCreate(req: AuthedRequest) {
return errorResponse(`project not found: ${projectId}`, "PROJECT_NOT_FOUND", 404);
}
const requesterMember = await getOrganisationMemberRole(project.organisationId, req.userId);
if (!requesterMember) {
return errorResponse("you are not a member of this organisation", "NOT_MEMBER", 403);
}
if (requesterMember.role !== "owner" && requesterMember.role !== "admin") {
return errorResponse(
"only organisation owners and admins can create issues",
"PERMISSION_DENIED",
403,
);
}
const issue = await createIssue(
project.id,
title,