From 607f822b4e6c1c5263e40e09f0dcb7d03d4b1459 Mon Sep 17 00:00:00 2001 From: markov Date: Thu, 26 Feb 2026 15:13:50 +0100 Subject: [PATCH] =?UTF-8?q?Fix=20#8:=20Remove=20author=5Ftype/author=5Fid?= =?UTF-8?q?=20from=20MessageCreate=20=E2=80=94=20always=20resolve=20from?= =?UTF-8?q?=20auth?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/tracker/api/messages.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/tracker/api/messages.py b/src/tracker/api/messages.py index 5ff10de..b527044 100644 --- a/src/tracker/api/messages.py +++ b/src/tracker/api/messages.py @@ -36,8 +36,6 @@ class MessageCreate(BaseModel): chat_id: str | None = None task_id: str | None = None parent_id: str | None = None - author_type: str | None = None # auto-detected from member - author_id: str | None = None # auto-detected from auth content: str mentions: list[str] = [] voice_url: str | None = None @@ -81,12 +79,12 @@ async def create_message(req: MessageCreate, request: Request, db: AsyncSession if not req.chat_id and not req.task_id: raise HTTPException(400, "Either chat_id or task_id must be provided") - # Resolve author from auth + # Resolve author from auth — never trust client-provided author fields member = getattr(request.state, "member", None) - author_id = uuid.UUID(req.author_id) if req.author_id else (member.id if member else None) - author_type = req.author_type or (member.type if member else AuthorType.HUMAN) - if not author_id: + if not member: raise HTTPException(401, "Not authenticated") + author_id = member.id + author_type = member.type msg = Message( chat_id=uuid.UUID(req.chat_id) if req.chat_id else None,