fix: resolve CodeRabbit PR #328 review findings#331
Merged
Conversation
- SECURITY (critical): dashboard endpoints scoped data visibility from client-supplied callerRoleType/callerUserId — a forged callerRoleType 1/2 could read every user's workload/time data. Now derive the caller from the authenticated session (req.uid) and resolve roleType server-side from company_users; body values are ignored. Applied to employee-workload, team-tasktype-breakdown, team-logged-vs-eta, project-metrics, on-leave. - FreeResourcesCard/TeamCategoryBreakdownCard: read settings/teams fresh in load() instead of capturing the getter once at setup (went stale on late store load). - FreeResourcesCard: treat an explicit freeThresholdHours 0 as valid (was falsy-coerced to the default 3). - docs: correct the boot-integrity expected card count (24 -> 31). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…328) - Security: TLS certificate validation is now ON by default across all three mail paths; self-signed certs require an explicit NODEMAILER_ALLOW_SELF_SIGNED opt-in (was a hardcoded rejectUnauthorized:false → MITM exposure). - Return err.message instead of the raw Error object (which serialized to {}) in the send callbacks, so the failure reason reaches the caller. - Fix the error.messge typo that logged undefined. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the actionable findings CodeRabbit raised on the promotion PR #328. Merge this into
stagingfirst, then re-sync #328 so the promotion carries the fixes — the security items should land before staging→main.Fixed
callerRoleType/callerUserId, so a non-admin could POSTcallerRoleType: 1and read every user's workload/time data. Now the caller is derived from the authenticated session (req.uid) and the role is resolved server-side fromcompany_users(fail-closed to the most-restricted role). Applied toemployee-workload,team-tasktype-breakdown,team-logged-vs-eta,project-metrics, andon-leave.FreeResourcesCard+TeamCategoryBreakdownCardnow readsettings/teamsfresh insideload()instead of capturing it once at setup.FreeResourcesCard— an explicitfreeThresholdHours: 0is now honored (was falsy-coerced to the default 3).service.jsnow validates TLS certificates by default across all three mail paths; self-signed requires an explicitNODEMAILER_ALLOW_SELF_SIGNED=trueopt-in (was a hardcodedrejectUnauthorized:false→ MITM exposure). Also returnserr.message(not the rawError, which serialized to{}) and fixes anerror.messgetypo.Deferred (needs a decision — not a blocker)
ProjectResourceCardvsProjectPulseCard) — Sunday-based vs Monday-based windows for the same filter. Unifying requires deciding the canonical week start and touches the broadly-usedgetTimeRange/resolveIsoRangehelpers, so it warrants cross-card testing rather than a rushed change inside a release promotion.LiveWorkCardcardData/filters — CodeRabbit noted this was already addressed by later commits on chore: promote staging to main #328.Verification
node --checkoncontroller.js+service.js; eslint clean on the touched Vue components.🤖 Generated with Claude Code