Security: is_read_only enforced on only one endpoint #77
Labels
No labels
area:api
area:core
area:docs
area:infra
area:ux
dependencies
documentation
duplicate
good first issue
help wanted
invalid
question
rust
status:complete
status:partial
status:planned
type:bug
type:design
type:feature
type:infra
type:refactor
type:refactor
type:research
type:ux
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
icub3d/decentcom#77
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: High — found in code review 2026-07-07.
Problem
The
is_read_onlysession flag (used for unapproved/revoked bots) is enforced on exactly one endpoint:server/src/messages/handlers.rs:142. A grep confirms no other handler checks it.A read-only session can still: add/remove reactions, upload attachments (
attachments/handlers.rs:101), edit/delete its own messages, update its profile, and create invites. The read-only guarantee is effectively cosmetic.Fix
Enforce
is_read_onlycentrally — reject read-only sessions for all mutating routes in theMemberUser/permission extractor, rather than per-handler.Acceptance