mirror of
https://github.com/MODSetter/SurfSense.git
synced 2026-06-18 21:15:16 +02:00
81fc467187
Two integration tests pinning the connector index endpoint's authorization: - cross-space index (attacker owns space B, connector lives in victim's space A, request passes search_space_id=B) is rejected with 404 at the search-space reconciliation, before the permission check (which would otherwise pass for the attacker's own space). - same-space index authorizes check_permission against the connector's own search space, not the caller-supplied query param. Mirrors the existing tests/integration harness (direct handler calls with the savepoint-rolled-back db_session; check_permission patched so the test needs no real RBAC wiring). |
||
|---|---|---|
| .. | ||
| alembic | ||
| app | ||
| scripts | ||
| tests | ||
| .dockerignore | ||
| .env.example | ||
| .gitignore | ||
| .python-version | ||
| alembic.ini | ||
| celery_worker.py | ||
| Dockerfile | ||
| main.py | ||
| pyproject.toml | ||
| uv.lock | ||