willchen96 slams the door on cross-project folder snooping
An outside contributor closes a hole that let one project's folder operations reach into another's.
Project folders are how Mike keeps each matter's documents organised in its own walled garden. The problem: the routes handling those folders trusted whatever folder ID a caller handed them, without checking the folder actually belonged to the project being worked in. In practice that meant someone could reference a folder from a different project - and re-parent a folder under it, or file a document into it - quietly moving things across boundaries that were supposed to be sealed.
The fix, contributed by Eli Fayerman rather than the usual maintainer, threads a single ownership check through every folder operation: if the target folder doesn't belong to the current project, the request comes back as a plain "not found." No accidental reach-across, no leaking that the other project's folder even exists. It's small, self-contained, and ships without tests.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?