WilliamACLove/mike-harvey-competition-legal-research-

Security-focused fork patching cross-tenant authorization gaps in Mike's Supabase backend

One security-focused PR addressing three distinct cross-tenant data access paths: blanket RLS enforcement across non-`user_profiles` tables, an accessible-document filter threaded through four tabular review endpoints, and project-scoped validation for folder move operations.

View on GitHub →

WilliamACLove's fork targets a cluster of multi-tenancy bugs: missing Row Level Security on most data tables, insecure document ID handling in the tabular review endpoints, and unchecked folder operations that let project members manipulate structure across project boundaries. The work includes both a one-shot schema update and incremental migrations for live deployments.

What's in it

Direction

securitymulti-tenant

Activity

Themed changes and pull requests touching this fork, newest first. Themed changes that haven't been turned into a public post yet still appear — they're real work even without a published writeup.

📝 Three cross-tenant data leaks closed in the Mike backend 0 commits securitymulti-tenant draft
WilliamACLove's PR patches a trio of authorization gaps that let one tenant read another's documents, chats, and LLM-extracted content. The most blunt problem: only the `user_profiles` table had Row Level Security enable…

Threads of work (detailed view)

1 thread have been distilled into posts.

Three cross-tenant data leaks closed in the Mike backend

WilliamACLove's PR patches a trio of authorization gaps that let one tenant read another's documents, chats, and LLM-extracted content. The most blunt problem: only the `user_profiles` table had Row Level Security enabled, leaving every other data table reachable through PostgREST with the anon key shipped in the JS bundle.

Pull requests (detailed view)

1 PR touch this fork — inbound (filed against it) or outbound (filed from it). State icons match the editorial dashboard.

🟢 Open (1)