mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-06 19:35:13 +02:00
a438886217
* refactor: Update comments for clarity and add expectations.json files for performance metrics * feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks * feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks * refactor: Simplify code formatting for better readability in multiple files * refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration * feat: Update Java and Python patterns to include new security rules * refactor: Improve comment clarity and consistency across multiple Rust files * refactor: Simplify code formatting for improved readability in integration tests and module files * refactor: Improve comment formatting and enhance clarity in assertions across multiple files
59 lines
1.7 KiB
Rust
59 lines
1.7 KiB
Rust
// target: authorization happens inside `validate_target`, which
|
|
// internally calls `authz::require_membership` against the same
|
|
// `group_id` the handler subsequently mutates. The current rule cannot
|
|
// see this transitively, B4 lifts per-function auth-check summaries
|
|
// (which positional params are auth-checked) so the handler-level call
|
|
// to `validate_target(&db, group_id, user.id)` is recognised as an
|
|
// auth check covering `group_id`. Result: `db.exec(..)` MUST NOT flag
|
|
// after B4 lands.
|
|
struct Ctx;
|
|
struct Req;
|
|
struct User {
|
|
id: i64,
|
|
}
|
|
struct Db;
|
|
impl Db {
|
|
fn insert(&self, _s: &str, _a: &[i64]) {}
|
|
}
|
|
mod auth {
|
|
pub async fn require_auth(_r: &super::Req, _c: &super::Ctx) -> Result<super::User, ()> {
|
|
Ok(super::User { id: 1 })
|
|
}
|
|
}
|
|
mod authz {
|
|
pub async fn require_membership(
|
|
_db: &super::Db,
|
|
_group: i64,
|
|
_user: i64,
|
|
) -> Result<(), ()> {
|
|
Ok(())
|
|
}
|
|
}
|
|
|
|
async fn validate_target(db: &Db, group_id: i64, user_id: i64) -> Result<(), ()> {
|
|
// Helper encapsulates the ownership check.
|
|
authz::require_membership(db, group_id, user_id).await?;
|
|
Ok(())
|
|
}
|
|
|
|
pub async fn handle_create_comment(
|
|
req: Req,
|
|
ctx: Ctx,
|
|
group_id: i64,
|
|
body: String,
|
|
) -> Result<String, ()> {
|
|
let user = auth::require_auth(&req, &ctx).await?;
|
|
let db = Db;
|
|
|
|
// Authorization happens inside validate_target, helper-summary
|
|
// lifting propagates the per-param auth check so this covers
|
|
// `group_id`.
|
|
validate_target(&db, group_id, user.id).await?;
|
|
|
|
let _ = body;
|
|
db.insert(
|
|
"INSERT INTO comments (group_id, body) VALUES (?1, ?2)",
|
|
&[group_id],
|
|
);
|
|
Ok("ok".into())
|
|
}
|