team-board/tracker
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix #8: Remove author_type/author_id from MessageCreate — always resolve from auth
Some checks failed
Deploy Tracker / deploy (push) Failing after 5s
Details

Browse Source
This commit is contained in:
markov 2026-02-26 15:13:50 +01:00
parent 7233d3f507
commit 607f822b4e
1 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/tracker/api/messages.py
View File

@ -36,8 +36,6 @@ class MessageCreate(BaseModel):
chat_id: str | None = None chat_id: str | None = None
task_id: str | None = None task_id: str | None = None
parent_id: str | None = None parent_id: str | None = None
author_type: str | None = None # auto-detected from member
author_id: str | None = None # auto-detected from auth
content: str content: str
mentions: list[str] = [] mentions: list[str] = []
voice_url: str | None = None voice_url: str | None = None
@ -81,12 +79,12 @@ async def create_message(req: MessageCreate, request: Request, db: AsyncSession
if not req.chat_id and not req.task_id: if not req.chat_id and not req.task_id:
raise HTTPException(400, "Either chat_id or task_id must be provided") raise HTTPException(400, "Either chat_id or task_id must be provided")
# Resolve author from auth # Resolve author from auth — never trust client-provided author fields
member = getattr(request.state, "member", None) member = getattr(request.state, "member", None)
author_id = uuid.UUID(req.author_id) if req.author_id else (member.id if member else None) if not member:
author_type = req.author_type or (member.type if member else AuthorType.HUMAN)
if not author_id:
raise HTTPException(401, "Not authenticated") raise HTTPException(401, "Not authenticated")
author_id = member.id
author_type = member.type
msg = Message( msg = Message(
chat_id=uuid.UUID(req.chat_id) if req.chat_id else None, chat_id=uuid.UUID(req.chat_id) if req.chat_id else None,