From 4f3f77119d342e5489d1ba7533ad6d51bdcd565f Mon Sep 17 00:00:00 2001
From: Timothy Carambat <rambat1010@gmail.com>
Date: Wed, 22 Apr 2026 16:45:34 -0700
Subject: [PATCH] resolve GHSA-jwqg-jfg3-x5vv

---
 server/endpoints/workspaces.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/endpoints/workspaces.js b/server/endpoints/workspaces.js
index 2a31cfb6..1fa60b50 100644
--- a/server/endpoints/workspaces.js
+++ b/server/endpoints/workspaces.js
@@ -618,12 +618,15 @@ function workspaceEndpoints(app) {
       try {
         const { chatId } = request.params;
         const workspace = response.locals.workspace;
+        const user = await userFromSession(request, response);
         const cacheKey = `${workspace.slug}:${chatId}`;
         const wsChat = await WorkspaceChats.get({
           id: Number(chatId),
           workspaceId: workspace.id,
+          user_id: user?.id,
         });
 
+        if (!wsChat) return response.sendStatus(404);
         const cachedResponse = responseCache.get(cacheKey);
         if (cachedResponse) {
           response.writeHead(200, {