This commit addresses all critical and high-priority recommendations from the security review:
**Critical Fixes:**
- Add nil checks before accessing memo properties in SetMemoAttachments and SetMemoRelations
to prevent potential nil pointer dereference
- Fix information disclosure in DeleteMemoReaction by returning consistent errors
(now returns permission denied instead of not found to avoid revealing reaction existence)
**Medium Priority Improvements:**
- Add GetReaction() method to store interface for better performance
(single reaction lookup instead of list operation)
- Implement GetReaction() in all database drivers (SQLite, MySQL, PostgreSQL)
- Update DeleteMemoReaction to use the new GetReaction() method
**Test Coverage:**
- Add comprehensive test coverage for SetMemoAttachments authorization checks
- Add comprehensive test coverage for SetMemoRelations authorization checks
- Add comprehensive test coverage for DeleteMemoReaction authorization checks
- Add comprehensive test coverage for CreateUser registration enforcement
All tests follow the same patterns as existing IDP service tests and cover:
- Success cases for resource owners
- Success cases for superuser/host users
- Permission denied cases for non-owners
- Unauthenticated access attempts
- Not found scenarios
Related to PR #5217 security review recommendations.
Fixes a regression introduced in v0.25.2 where PostgreSQL IN clause
placeholders were not properly incremented, causing all parameters to
use the same placeholder index (e.g., $1, $1, $1 instead of $1, $2, $3).
This bug affected:
- ListReactions (ContentIDList) - caused "failed to list reactions" errors
- ListAttachments (MemoIDList)
- ListMemos (IDList and UIDList)
The fix combines placeholder generation and argument appending into a
single loop to ensure proper incrementing.
Fixes#5188🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Updated memo and reaction filtering logic to use a unified engine for compiling filter expressions into SQL statements.
- Removed redundant filter parsing and conversion code from ListMemoRelations, ListReactions, and ListAttachments methods.
- Introduced IDList and UIDList fields in FindMemo and FindReaction structs to support filtering by multiple IDs.
- Removed old filter test files for reactions and attachments, as the filtering logic has been centralized.
- Updated tests for memo filtering to reflect the new SQL statement compilation approach.
- Ensured that unsupported user filters return an error in ListUsers method.
Claude
Steven
Copilot
varsnotwars