Skip to content

fix: scope MCP permission guards to PAT requests and drop the project-count cap#248

Merged
parth0025 merged 1 commit into
stagingfrom
fix/permission-guard-and-project-cap
Jun 16, 2026
Merged

fix: scope MCP permission guards to PAT requests and drop the project-count cap#248
parth0025 merged 1 commit into
stagingfrom
fix/permission-guard-and-project-cap

Conversation

@parth0025

Copy link
Copy Markdown
Collaborator

Two fixes that stop over-restrictive gating from affecting the web app.

Config/permissionGuard.js

  • The permission/role guards (requireRole, requirePermission, requireTaskActionPermission) now run ONLY for PAT (MCP / API-token) requests, detected via req.apiToken. JWT / web-app requests fall straight through, so existing frontend/backend behaviour is byte-for-byte unchanged.
  • Why: the backend mirror of the frontend checkPermission is not yet a perfect match for per-project overrides, so gating shared web routes caused false denials in production (e.g. assigning a task -> 403). Scoping enforcement to PAT-only removes that risk while keeping MCP / API clients gated.
  • Also adds sheet_settings.user_timesheet and sheet_settings.workload_timesheet to MCP_PERMISSION_KEYS.

Modules/createProject/controller.js

  • checkProjectPlan no longer enforces a plan project-count cap. Project creation is gated only by the project.project_create permission (route guard + MCP client) — checkProjectPlan now always resolves { status: true }.

Both files syntax-checked (node --check).

🤖 Generated with Claude Code

…-count cap

permissionGuard.js: the permission/role guards now run only for PAT (MCP / API-token) requests (req.apiToken). JWT/web-app requests pass straight through, so existing frontend/backend behaviour is byte-for-byte unchanged - fixes false denials on shared web routes (e.g. assigning a task). Also adds user_timesheet + workload_timesheet to MCP_PERMISSION_KEYS.

createProject/controller.js: checkProjectPlan no longer enforces a plan project-count cap; creation is gated only by the project.project_create permission. Always resolves { status: true }.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 76c2323c-fffd-46c4-8c1f-ff75e8b9d474

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/permission-guard-and-project-cap

Comment @coderabbitai help to get the list of available commands and usage tips.

@parth0025 parth0025 merged commit cc4ce92 into staging Jun 16, 2026
4 checks passed
parth0025 added a commit that referenced this pull request Jun 16, 2026
Companion to #248: the owner-only role-promotion check in updateMember now runs only for PAT/MCP requests (req.apiToken), so the web app's role management behaves exactly as before. Same 2026-06-15 MCP-isolation hardening as permissionGuard.js.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
parth0025 added a commit that referenced this pull request Jun 16, 2026
…249)

* fix: address safe CodeRabbit findings from the promotion (#240) review

Six low-risk, verified fixes:
- Webhooks/dispatcher.js: guard against an undefined pending entry in the debounce callback (entry.doc could throw).
- gitlabOAuth/controller.js: add a 15s timeout to the token-exchange axios call (was unbounded).
- Admin/common/controller.js: drop an erroneous JSON.parse in the missing-file branch (makeDefaultBrandSettings resolves an object) - fixes a first-run 404 on getBrandSettingsData.
- Stickies/helpers/stickyRules.js: strict boolean for isPinned (the string 'false' no longer coerces to true).
- StickiesPanel.vue: clear the pending debounced save in remove() so it cannot fire a stale PUT after delete.
- README.md: 'Priority support & SLAs' -> 'response-time targets' to match SUPPORT.md.

Verified: node --check (backend), sticky-rules jest 16/16, StickiesPanel SFC compile.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix: scope updateMember role-promotion guard to PAT requests

Companion to #248: the owner-only role-promotion check in updateMember now runs only for PAT/MCP requests (req.apiToken), so the web app's role management behaves exactly as before. Same 2026-06-15 MCP-isolation hardening as permissionGuard.js.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant