coolify

rosslh/coolify

Fork 0

Commit graph

Author	SHA1	Message	Date
Andras Bacsai	3ba4553df5	fix(security): enforce team-scoped project/env lookups in onboarding Use firstOrFail() for team-scoped project and environment lookups across new-project Livewire flows so missing or cross-team UUIDs fail closed. Also dispatch an error when boarding selects a non-owned project, and update IDOR feature tests for the new error/exception behavior.	2026-03-29 15:55:03 +02:00
Andras Bacsai	e36622fdfb	refactor: scope server and project queries to current team Ensure Server and Project lookups in Livewire components and API controllers use team-scoped queries (ownedByCurrentTeam / whereTeamId) instead of unscoped find/where calls. This enforces consistent multi-tenant isolation across all user-facing code paths. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-28 12:29:08 +01:00

Author

SHA1

Message

Date

Andras Bacsai

3ba4553df5

fix(security): enforce team-scoped project/env lookups in onboarding

Use firstOrFail() for team-scoped project and environment lookups across
new-project Livewire flows so missing or cross-team UUIDs fail closed.
Also dispatch an error when boarding selects a non-owned project, and
update IDOR feature tests for the new error/exception behavior.

2026-03-29 15:55:03 +02:00

Andras Bacsai

e36622fdfb

refactor: scope server and project queries to current team

Ensure Server and Project lookups in Livewire components and API
controllers use team-scoped queries (ownedByCurrentTeam / whereTeamId)
instead of unscoped find/where calls. This enforces consistent
multi-tenant isolation across all user-facing code paths.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-28 12:29:08 +01:00

2 commits