Skip to content

Comments

security: add missed authorization check#2637

Merged
asvishnyakov merged 3 commits intomainfrom
fix/missed-authorization
Nov 7, 2025
Merged

security: add missed authorization check#2637
asvishnyakov merged 3 commits intomainfrom
fix/missed-authorization

Conversation

@asvishnyakov
Copy link
Member

@asvishnyakov asvishnyakov commented Nov 7, 2025

No description provided.

@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. security labels Nov 7, 2025
@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. and removed size:M This PR changes 30-99 lines, ignoring generated files. labels Nov 7, 2025
@asvishnyakov asvishnyakov added this pull request to the merge queue Nov 7, 2025
Merged via the queue into main with commit 8f1153d Nov 7, 2025
9 checks passed
@asvishnyakov asvishnyakov deleted the fix/missed-authorization branch November 7, 2025 22:27
@jbcallaghan jbcallaghan mentioned this pull request Nov 10, 2025
Closed
@jbcallaghan
Copy link

jbcallaghan commented Nov 12, 2025

Can you please review this change again as it breaks co-pilot mode

@fgalind1
Copy link
Contributor

fgalind1 commented Nov 17, 2025

Can you please review this change again as it breaks co-pilot mode

+1 broke it on my end also

@jbcallaghan
Copy link

jbcallaghan commented Nov 18, 2025

I just tested changing my local copy of socket.py with your changes and it seems to be working now with copilot :-)

These are the only changes I made:

    if thread_id:
        if data_layer := get_data_layer():
            thread = await data_layer.get_thread(thread_id)
            if thread and not (thread["userIdentifier"] == user.identifier):
                logger.error("Authorization for the thread failed.")
                raise ConnectionRefusedError("authorization failed")

@asvishnyakov
Copy link
Member Author

asvishnyakov commented Nov 18, 2025
edited
Loading

@jbcallaghan I wrote a few tests locally to cover this and similar situations with copilot, ACL, etc., but wasn't able to make most critical of them working. I'll complete this PR ASAP and merge it

@jbcallaghan
Copy link

jbcallaghan commented Nov 18, 2025
edited
Loading

@asvishnyakov thanks very much for your help in fixing this issue, much appreciated.

@jbcallaghan
Copy link

jbcallaghan commented Nov 21, 2025

Any news on when this change will make it into the next release?

@asvishnyakov
Copy link
Member Author

asvishnyakov commented Nov 21, 2025

@jbcallaghan Yes, I think I'll complete and release it later today

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hayescode hayescode hayescode approved these changes

@sandangel sandangel Awaiting requested review from sandangel sandangel is a code owner

Assignees

No one assigned

Labels

security size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@asvishnyakov @jbcallaghan @fgalind1 @hayescode