lawyered0 closes a back door in shared document review
A fix that stops a single shared review from becoming a skeleton key to an entire project's private documents.
lawyered0 has spotted a quiet gap in how Mike handles shared reviews. When you build a table of extracted facts across a set of documents, the tool has a fallback: if there's nothing to pull from yet, it grabs every document in the parent project to work from. The problem is that it grabbed all of them - without checking whether the person running the extraction was actually allowed to see each one.
That mattered because access to a review can be granted directly, one review at a time, without giving someone the run of the whole project. Under the old behaviour, anyone handed that single shared review could trigger extraction across every document in its project, private files included. lawyered0's change runs the fallback set through the same per-document permission check the codebase already uses elsewhere, so only documents you're cleared to see feed the table. The fix is proposed but not yet merged.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?