WilliamACLove ↗ analysis ↗ GitHub WilliamACLove/mike-harvey-competition-legal-research-
Security-focused fork patching cross-tenant authorization gaps in Mike's Supabase backend
WilliamACLove's fork targets a cluster of multi-tenancy bugs: missing Row Level Security on most data tables, insecure document ID handling in the tabular review endpoints, and unchecked folder operations that let project members manipulate structure across project boundaries. The work includes both a one-shot schema update and incremental migrations for live deployments.
What's in it
- Tenant isolation Closes three separate paths that could let one client see another client's chats, documents or folder layout.
- Backend security focus The work that's been done so far reads as a deliberate sweep through multi-tenant boundaries rather than scattered fixes.
Direction
securitymulti-tenant
Activity
Threads of work (detailed view)
Three cross-tenant data leaks closed in the Mike backend
WilliamACLove's PR patches a trio of authorization gaps that let one tenant read another's documents, chats, and LLM-extracted content. The most blunt problem: only the `user_profiles` table had Row Level Security enabled, leaving every other data table reachable through PostgREST with the anon key shipped in the JS bundle.
Pull requests (detailed view)
🟢 Open (1)
WilliamACLove · opened 3mo ago