ryanmcdonough plugs a chat-creation authorization hole

A small fix closes a gap that let any signed-in user attach chats to projects they shouldn't see.

securitymulti-tenant

The original Mike codebase had a quiet flaw in how it created chats: when a user started a new chat tied to a project, the backend trusted whatever project ID the request handed it, without checking the user was actually allowed into that project. An authenticated user could effectively park their chats inside someone else's matter.

ryanmcdonough's fork adds the missing check, using the same access helper the rest of the codebase already relies on for project-scoped routes. If you don't own the project or haven't been shared into it, the request gets a not-found response and no chat row is written. Upstream still has the gap.

So what Any team running Mike in a multi-user setup - especially firms where projects map to client matters - should pull this in before someone notices the hard way.

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

SHA	Subject	Author	Date
`69c283ee`	Enhance chat creation endpoint to check project access using user email	ryanmcdonough	2026-04-30	↗ GitHub

SHA

Subject

Author

Date

69c283ee

Enhance chat creation endpoint to check project access using user email

ryanmcdonough

2026-04-30

↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-145.md from inside the repo you want the changes in.

ryanmcdonough plugs a chat-creation authorization hole

Commits in this thread

Capture this thread into my fork