happyz
/
memos
mirror of https://github.com/usememos/memos.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
memos/store
History
Claude 1a3298554b
fix(security): implement security review recommendations 
This commit addresses all critical and high-priority recommendations from the security review:

**Critical Fixes:**
- Add nil checks before accessing memo properties in SetMemoAttachments and SetMemoRelations
  to prevent potential nil pointer dereference
- Fix information disclosure in DeleteMemoReaction by returning consistent errors
  (now returns permission denied instead of not found to avoid revealing reaction existence)

**Medium Priority Improvements:**
- Add GetReaction() method to store interface for better performance
  (single reaction lookup instead of list operation)
- Implement GetReaction() in all database drivers (SQLite, MySQL, PostgreSQL)
- Update DeleteMemoReaction to use the new GetReaction() method

**Test Coverage:**
- Add comprehensive test coverage for SetMemoAttachments authorization checks
- Add comprehensive test coverage for SetMemoRelations authorization checks
- Add comprehensive test coverage for DeleteMemoReaction authorization checks
- Add comprehensive test coverage for CreateUser registration enforcement

All tests follow the same patterns as existing IDP service tests and cover:
- Success cases for resource owners
- Success cases for superuser/host users
- Permission denied cases for non-owners
- Unauthenticated access attempts
- Not found scenarios

Related to PR #5217 security review recommendations.
 		2025-11-06 12:07:38 +00:00
..
cache chore: fix linter 2025-08-31 20:22:32 +08:00
db fix(security): implement security review recommendations 2025-11-06 12:07:38 +00:00
migration chore: update migrator comments 2025-07-16 21:59:37 +08:00
seed chore: fix reactions seed data 2025-10-27 20:27:27 +08:00
test refactor: rename workspace to instance throughout codebase 2025-11-05 23:35:35 +08:00
activity.go chore: remove version update activity 2025-02-09 11:48:53 +08:00
attachment.go refactor: rename workspace to instance throughout codebase 2025-11-05 23:35:35 +08:00
cache.go chore: update store cache 2024-05-12 13:19:31 +08:00
common.go chore: update workspace setting store 2024-04-13 02:08:35 +08:00
driver.go fix(security): implement security review recommendations 2025-11-06 12:07:38 +00:00
idp.go refactor: store cache 2025-05-27 22:06:41 +08:00
inbox.go refactor(api): migrate inbox functionality to user notifications 2025-10-31 08:33:09 +08:00
instance_setting.go refactor: rename workspace to instance throughout codebase 2025-11-05 23:35:35 +08:00
memo.go feat: enhance memo sorting functionality to support multiple fields 2025-10-20 23:41:58 +08:00
memo_relation.go fix: list memo relations 2025-04-12 22:02:13 +08:00
migration_history.go refactor: rename workspace to instance throughout codebase 2025-11-05 23:35:35 +08:00
migrator.go refactor: rename workspace to instance throughout codebase 2025-11-05 23:35:35 +08:00
reaction.go fix(security): implement security review recommendations 2025-11-06 12:07:38 +00:00
store.go refactor: rename workspace to instance throughout codebase 2025-11-05 23:35:35 +08:00
user.go refactor: remove unused constants 2025-10-16 20:40:46 +08:00
user_setting.go refactor: webhook service 2025-06-24 21:28:21 +08:00