Restrict project folder deletion to project owners
From the PR description
Summary
- block shared project members from calling
DELETE /projects/:projectId/folders/:folderId - keep folder-tree and document deletion behind project-owner authorization
Why
The folder delete route previously accepted any user with project access. Because that endpoint recursively deletes the folder tree and removes every document inside it, a shared project member could permanently delete documents they do not own.
Test
npm run build --prefix backend
Our analysis
Restrict recursive folder deletion to project owners — read the full analysis →
Think the analysis missed something the PR description covers?
Capture this PR into my fork
Download a Markdown prompt that tells Claude how to port every
commit in this PR into your working tree. Run it via
claude -p < capture-pull-176.md from
inside the repo you want the changes in.