apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-06 19:35:13 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/tests/fixtures/auth_analysis/row_ownership_equality.rs
Eli Peter a438886217
Python fp and docs updtes (#58) 
* refactor: Update comments for clarity and add expectations.json files for performance metrics

* feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks

* feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks

* refactor: Simplify code formatting for better readability in multiple files

* refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration

* feat: Update Java and Python patterns to include new security rules

* refactor: Improve comment clarity and consistency across multiple Rust files

* refactor: Simplify code formatting for improved readability in integration tests and module files

* refactor: Improve comment formatting and enhance clarity in assertions across multiple files
2026-04-29 19:53:34 -04:00

48 lines
1.1 KiB
Rust
Raw Permalink Blame History

struct Ctx;
struct Req;
struct User {
id: i64,
}
struct Db;
impl Db {
fn query_one(&self, _s: &str, _a: &[i64]) -> Row {
Row
}
}
struct Row;
impl Row {
fn get_i64(&self, _c: &str) -> i64 {
0
}
}
mod auth {
pub async fn require_auth(_r: &super::Req, _c: &super::Ctx) -> Result<super::User, ()> {
Ok(super::User { id: 1 })
}
}
mod realtime {
pub fn publish_to_group(_g: i64, _m: &str) {}
}
fn json_err(_msg: &str, _code: u16) -> Result<String, ()> {
Err(())
}
pub async fn handle_delete_doc(req: Req, ctx: Ctx, doc_id: i64) -> Result<String, ()> {
let user = auth::require_auth(&req, &ctx).await?;
let db = Db;
let existing = db.query_one(
"SELECT user_id, group_id FROM docs WHERE id = ?1",
&[doc_id],
);
let owner_id = existing.get_i64("user_id");
if owner_id != user.id {
return json_err("cannot delete another user's doc", 403);
}
// By construction, the row belongs to `user`, so any id read from it is authorized.
let group_id = existing.get_i64("group_id");
realtime::publish_to_group(group_id, "doc_deleted");
Ok("ok".into())
}
Reference in a new issue View git blame Copy permalink