michael/merlyn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f2030343d7
merlyn/server/models
History
Timothy Carambat f2030343d7 Fix potential IDOR vulnerability in workspace parsed files endpoints 
Add ownership validation to prevent users from deleting or embedding
parsed files that don't belong to them. Previously, the delete and
embed endpoints only validated authentication but not resource ownership,
allowing users to delete attached files for users within workspaces they are also a member of.

Changes:
- Delete endpoint now filters by userId and workspaceId
- Embed endpoint validates file belongs to user and workspace (redundant)
- delete() returns false when no matching records found (returns 403)
- Added JSDoc comments for clarity
GHSA-p5rf-8p88-979c
2026-03-13 15:22:07 -07:00
..
apiKeys.js [FEAT] Automated audit logging (#667) 2024-02-06 15:21:40 -08:00
browserExtensionApiKey.js Enforce user suspension check on browser extension API key path 2026-03-13 10:05:05 -07:00
cacheData.js Infinite prompt input and compression implementation (#332) 2023-11-06 13:13:53 -08:00
communityHub.js Publish slash commands to hub (#4019) 2025-06-24 16:19:50 -07:00
documents.js chore: add ESLint to /server (#5126) 2026-03-05 16:32:45 -08:00
documentSyncQueue.js fix issue with files loading with watching enabled (#3930) 2025-06-01 14:53:48 -05:00
documentSyncRun.js [BETA] Live document sync (#1719) 2024-06-21 13:38:50 -07:00
embedChats.js chore: add ESLint to /server (#5126) 2026-03-05 16:32:45 -08:00
embedConfig.js chore: add ESLint to /server (#5126) 2026-03-05 16:32:45 -08:00
eventLogs.js [FEAT] Automated audit logging (#667) 2024-02-06 15:21:40 -08:00
invite.js Add ability to add invitee to workspaces automatically (#975) 2024-03-26 16:38:32 -07:00
mobileDevice.js chore: add ESLint to /server (#5126) 2026-03-05 16:32:45 -08:00
passwordRecovery.js Migrate to bcryptjs (#4767) 2025-12-11 15:19:04 -08:00
promptHistory.js fix null entry on new workspace 2025-05-08 08:34:37 -07:00
slashCommandsPresets.js Community hub integration (#2555) 2024-11-26 09:59:43 -08:00
systemPromptVariables.js New Default System Prompt Variables (User ID, Workspace ID, & Workspace Name) (#4414) 2025-09-29 14:32:56 -07:00
systemSettings.js fix schema not persisting in DB connector 2026-03-11 11:43:38 -07:00
telemetry.js Workspace Chat with documents overhaul (#4261) 2025-08-11 09:26:19 -07:00
temporaryAuthToken.js Add custom JWT TTL (#4234) 2025-08-01 10:39:38 -07:00
user.js chore: add ESLint to /server (#5126) 2026-03-05 16:32:45 -08:00
vectors.js Purge cached docs and remove docs from all workspaces on vectorDB/embedder changes (#2819) 2024-12-16 12:16:20 -08:00
workspace.js Revert "Add automatic chat mode with native tool calling support (#5140)" 2026-03-04 15:29:41 -08:00
workspaceAgentInvocation.js patch agent invocation regression 2024-04-27 12:39:45 -07:00
workspaceChats.js Handle BigInt in message response (#4110) 2025-07-10 12:33:34 -07:00
workspaceParsedFiles.js Fix potential IDOR vulnerability in workspace parsed files endpoints 2026-03-13 15:22:07 -07:00
workspacesSuggestedMessages.js [FEAT] create custom prompt suggestions per workspace (#664) 2024-02-06 11:24:33 -08:00
workspaceThread.js Add ability to search workspace and threads (#4120) 2025-07-10 16:42:10 -07:00
workspaceUsers.js Add new workspace user management endpoint (#2842) 2024-12-16 11:50:34 -08:00