Skip to content

fix(policy): remove dead guest read rule on authenticated task routes #3135

Closed
#3163
Closed
fix(policy): remove dead guest read rule on authenticated task routes#3135
#3163
Labels
FixA bug fixSeverity2: inconvenientBug qualification
@PierreBrisorgueil

Description

@PierreBrisorgueil
PierreBrisorgueil
opened on Feb 21, 2026

Context

Raised by Copilot review on #3134.

Problem

modules/tasks/policies/tasks.policy.js grants guest the read action on /api/tasks/:taskId:

{ roles: ['guest'], actions: ['read'], subject: '/api/tasks/:taskId' },

However, the route is behind passport.authenticate('jwt', { session: false }):

app.route('/api/tasks/:taskId')
  .all(passport.authenticate('jwt', { session: false }), policy.isAllowed)

Guests are rejected by the JWT middleware before policy.isAllowed is ever called — this rule is dead code.

Fix

Remove the dead guest rule for /api/tasks/:taskId from tasks.policy.js, or make the GET route public if guest access is actually intended.

Metadata

Metadata

Assignees

No one assigned

    Labels

    FixA bug fixSeverity2: inconvenientBug qualification

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions