happyz
/
memos
mirror of https://github.com/usememos/memos.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
memos/server/router/api/v1
History
Claude 1a3298554b
fix(security): implement security review recommendations 
This commit addresses all critical and high-priority recommendations from the security review:

**Critical Fixes:**
- Add nil checks before accessing memo properties in SetMemoAttachments and SetMemoRelations
  to prevent potential nil pointer dereference
- Fix information disclosure in DeleteMemoReaction by returning consistent errors
  (now returns permission denied instead of not found to avoid revealing reaction existence)

**Medium Priority Improvements:**
- Add GetReaction() method to store interface for better performance
  (single reaction lookup instead of list operation)
- Implement GetReaction() in all database drivers (SQLite, MySQL, PostgreSQL)
- Update DeleteMemoReaction to use the new GetReaction() method

**Test Coverage:**
- Add comprehensive test coverage for SetMemoAttachments authorization checks
- Add comprehensive test coverage for SetMemoRelations authorization checks
- Add comprehensive test coverage for DeleteMemoReaction authorization checks
- Add comprehensive test coverage for CreateUser registration enforcement

All tests follow the same patterns as existing IDP service tests and cover:
- Success cases for resource owners
- Success cases for superuser/host users
- Permission denied cases for non-owners
- Unauthenticated access attempts
- Not found scenarios

Related to PR #5217 security review recommendations.
 		2025-11-06 12:07:38 +00:00
..
test fix(security): implement security review recommendations 2025-11-06 12:07:38 +00:00
acl.go chore: fix reactions seed data 2025-10-27 20:27:27 +08:00
acl_config.go chore: fix linter 2025-11-05 23:59:24 +08:00
activity_service.go chore: fix linter 2025-10-31 08:36:12 +08:00
attachment_service.go refactor: rename workspace to instance throughout codebase 2025-11-05 23:35:35 +08:00
auth.go chore: fix reactions seed data 2025-10-27 20:27:27 +08:00
auth_service.go refactor: rename workspace to instance throughout codebase 2025-11-05 23:35:35 +08:00
auth_service_client_info_test.go chore: fix linter 2025-08-31 20:22:32 +08:00
common.go refactor: remove unused constants 2025-10-16 20:40:46 +08:00
health_service.go feat: implement grpc health service checking database connection (#4499) 2025-03-14 08:43:01 +08:00
idp_service.go fix(security): add missing authorization checks to various services (#5217) 2025-11-06 19:42:44 +08:00
instance_service.go refactor: rename workspace to instance throughout codebase 2025-11-05 23:35:35 +08:00
logger_interceptor.go chore: add a new LOG_STACKTRACES option (#4973) 2025-08-07 23:56:21 +08:00
memo_attachment_service.go fix(security): implement security review recommendations 2025-11-06 12:07:38 +00:00
memo_relation_service.go fix(security): implement security review recommendations 2025-11-06 12:07:38 +00:00
memo_service.go refactor: rename workspace to instance throughout codebase 2025-11-05 23:35:35 +08:00
memo_service_converter.go refactor: rename workspace to instance throughout codebase 2025-11-05 23:35:35 +08:00
memo_service_filter.go refactor: deprecate old filter 2025-07-22 21:25:57 +08:00
reaction_service.go fix(security): implement security review recommendations 2025-11-06 12:07:38 +00:00
resource_name.go refactor: rename workspace to instance throughout codebase 2025-11-05 23:35:35 +08:00
shortcut_service.go refactor: remove unused constants 2025-10-16 20:40:46 +08:00
test_auth.go fix: auth context 2025-06-22 22:58:00 +08:00
user_service.go fix(api): use correct instance setting method in user registration 2025-11-06 20:00:35 +08:00
user_service_stats.go refactor: rename workspace to instance throughout codebase 2025-11-05 23:35:35 +08:00
v1.go refactor: rename workspace to instance throughout codebase 2025-11-05 23:35:35 +08:00