fix(security): scope task get, create, and delete to the owner#2265
Open
mesutoezdil wants to merge 2 commits into
Open
fix(security): scope task get, create, and delete to the owner#2265mesutoezdil wants to merge 2 commits into
mesutoezdil wants to merge 2 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses a security gap in the Go core HTTP + Postgres storage path by introducing task ownership (via task.user_id) and scoping task read/write/delete operations to the authenticated owner, aligning tasks with existing owner-scoped access patterns used elsewhere (e.g., sessions/events).
Changes:
- Adds a
user_idcolumn totaskand backfills it from the owning session during migration. - Updates task GET/CREATE/DELETE handlers and the database client interface to require a
userIDfor owner scoping. - Updates SQL queries/sqlc-generated code and adds/adjusts tests to validate owner-scoped behavior.
Reviewed changes
Copilot reviewed 8 out of 11 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| go/core/pkg/migrations/core/000008_task_owner.up.sql | Adds task.user_id and backfills it from session.user_id. |
| go/core/pkg/migrations/core/000008_task_owner.down.sql | Drops task.user_id on rollback. |
| go/core/internal/httpserver/handlers/tasks.go | Scopes task get/create/delete endpoints by effective user ID; handles ownership conflict on create. |
| go/core/internal/httpserver/handlers/sessions_test.go | Updates test setup to pass userID to StoreTask. |
| go/core/internal/database/queries/tasks.sql | Scopes GetTask/SoftDeleteTask by user_id; extends upsert to persist user_id; adds GetTaskOwner. |
| go/core/internal/database/gen/tasks.sql.go | sqlc regen reflecting new task columns and updated query params. |
| go/core/internal/database/gen/querier.go | Updates querier interface for new task query signatures. |
| go/core/internal/database/gen/models.go | Extends generated Task model with UserID. |
| go/core/internal/database/client_test.go | Updates existing tests for new StoreTask signature; adds owner scoping test. |
| go/core/internal/database/client_postgres.go | Scopes task get/store/delete methods by userID and checks ownership on store. |
| go/api/database/client.go | Updates DB client interface and introduces ErrTaskOwnedByAnotherUser. |
Files not reviewed (3)
- go/core/internal/database/gen/models.go: Generated file
- go/core/internal/database/gen/querier.go: Generated file
- go/core/internal/database/gen/tasks.sql.go: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
mesutoezdil
force-pushed
the
fix/task-endpoint-authorization
branch
2 times, most recently
from
July 16, 2026 07:58
5f8961d to
078f616
Compare
Any user could read, overwrite, or delete any other user's task by id. Task now has a user_id column, backfilled from its session, and all three endpoints check it like session and event already do. Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
mesutoezdil
force-pushed
the
fix/task-endpoint-authorization
branch
from
July 16, 2026 08:08
078f616 to
9af4ce4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Task get, create, and delete had no owner check at all. Any user could read another user's task by id, delete it, or even overwrite its data by posting a task with the same id.
Task now has a user_id column, backfilled from its session on migration. All three endpoints check it, same pattern already used for session and event.