patched security holes

2026-02-08 10:33:01 +00:00 · 2026-01-21 22:44:57 +00:00
parent db0be8330e
commit be57b4d6df
11 changed files with 129 additions and 23 deletions
--- a/packages/backend/src/routes/issue/update.ts
+++ b/packages/backend/src/routes/issue/update.ts
@@ -1,9 +1,15 @@
 import { type IssueRecord, IssueUpdateRequestSchema } from "@sprint/shared";
-import type { BunRequest } from "bun";
-import { getIssueByID, setIssueAssignees, updateIssue } from "../../db/queries";
+import type { AuthedRequest } from "../../auth/middleware";
+import {
+    getIssueByID,
+    getOrganisationMemberRole,
+    getProjectByID,
+    setIssueAssignees,
+    updateIssue,
+} from "../../db/queries";
 import { errorResponse, parseJsonBody } from "../../validation";

-export default async function issueUpdate(req: BunRequest) {
+export default async function issueUpdate(req: AuthedRequest) {
    const parsed = await parseJsonBody(req, IssueUpdateRequestSchema);
    if ("error" in parsed) return parsed.error;

@@ -23,7 +29,25 @@ export default async function issueUpdate(req: BunRequest) {
    const hasIssueFieldUpdates =
        title !== undefined || description !== undefined || status !== undefined || sprintId !== undefined;

-    let issue: IssueRecord | undefined;
+    const existingIssue = await getIssueByID(id);
+    if (!existingIssue) {
+        return errorResponse(`issue not found: ${id}`, "ISSUE_NOT_FOUND", 404);
+    }
+
+    const project = await getProjectByID(existingIssue.projectId);
+    if (!project) {
+        return errorResponse("project not found", "PROJECT_NOT_FOUND", 404);
+    }
+
+    const requesterMember = await getOrganisationMemberRole(project.organisationId, req.userId);
+    if (!requesterMember) {
+        return errorResponse("you are not a member of this organisation", "NOT_MEMBER", 403);
+    }
+    if (requesterMember.role !== "owner" && requesterMember.role !== "admin") {
+        return errorResponse("only organisation owners and admins can edit issues", "PERMISSION_DENIED", 403);
+    }
+
+    let issue: IssueRecord | undefined = existingIssue;
    if (hasIssueFieldUpdates) {
        [issue] = await updateIssue(id, {
            title,
@@ -31,8 +55,6 @@ export default async function issueUpdate(req: BunRequest) {
            sprintId,
            status,
        });
-    } else {
-        issue = await getIssueByID(id);
    }

    if (assigneeIds !== undefined) {