Restrict project folder deletion to project owners

⛔ closed · #176 · Open-Legal-Products/mike ← lawyered0/mike · opened 1mo ago by lawyered0 · closed 20d ago · +1 across 1 file · ↗ on GitHub

From the PR description

Summary

  • block shared project members from calling DELETE /projects/:projectId/folders/:folderId
  • keep folder-tree and document deletion behind project-owner authorization

Why

The folder delete route previously accepted any user with project access. Because that endpoint recursively deletes the folder tree and removes every document inside it, a shared project member could permanently delete documents they do not own.

Test

  • npm run build --prefix backend

Our analysis

Restrict recursive folder deletion to project owners — read the full analysis →

Think the analysis missed something the PR description covers?

Capture this PR into my fork

Download a Markdown prompt that tells Claude how to port every commit in this PR into your working tree. Run it via claude -p < capture-pull-176.md from inside the repo you want the changes in.

⬇ Download capture-pull-176.md