`4b9dfc2`

notifications: existence + visibility check on thread subscribe (SR2 H7+L4+L5+L7)

H7: threadAction now loads the issue by id, asserts kind matches
the URL kind (issue vs pr), then runs policy.IsVisibleTo on the
parent repo before upserting notification_threads. Pre-fix any
logged-in user could pollute the table with rows for private or
non-existent issues.

L4: dropped the raw `r.Header.Get("Referer")` redirect; route
through notificationReturnPath which already validates the
return_to form value via safeNotificationReturnPath.

L5: kind check moved before VerifyUnsubscribe so unknown kinds
fast-fail without a constant-time HMAC compare.

L7: 5 silent `_ = h.d.Render.RenderPage(...)` callsites in
orgs/orgs.go and orgs/teams.go now log on render error so a
broken template surfaces instead of returning a blank 200.

Authored by

espadonne 3 days ago

SHA: 4b9dfc2af4405aba144b9d56bc8ffa571e2271fe
Parents: 38697c4
Tree: b859cd5

3 changed files

Status	File	+	-
M	`internal/web/handlers/notifications/notifications.go`	50	10
M	`internal/web/handlers/orgs/orgs.go`	12	6
M	`internal/web/handlers/orgs/teams.go`	8	4

internal/web/handlers/notifications/notifications.gomodified

  	"github.com/go-chi/chi/v5"
  	"github.com/jackc/pgx/v5/pgxpool"
 +	"github.com/tenseleyFlow/shithub/internal/auth/policy"
 +	issuesdb "github.com/tenseleyFlow/shithub/internal/issues/sqlc"
  	"github.com/tenseleyFlow/shithub/internal/notif"
  	notifdb "github.com/tenseleyFlow/shithub/internal/notif/sqlc"
 +	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"
  	"github.com/tenseleyFlow/shithub/internal/web/middleware"
  	"github.com/tenseleyFlow/shithub/internal/web/render"
+ )
  // inserts (or updates) a row with subscribed=true; `false` flips it
  // off. The fan-out worker honors the explicit row over the auto-sub
  // derivation.
 +//
 +// SR2 H7: pre-fix this handler accepted any (kind, id) pair without
 +// checking that the thread existed or that the viewer could read
 +// the parent repo, letting any logged-in user pollute the thread
 +// table with rows pointing at private/non-existent issues. Now we
 +// load the issue, confirm the kind matches, and run the policy
 +// visibility gate before upserting.
 +//
 +// SR2 L4: Referer is origin-checked before redirecting (was open-
 +// redirect-shaped on Referer manipulation if the cookie surface
 +// ever relaxed SameSite).
  func (h *Handlers) threadAction(w http.ResponseWriter, r *http.Request, subscribed bool) {
  	viewer := middleware.CurrentUserFromContext(r.Context())
  	if viewer.IsAnonymous() {
  		return
+ 	}
  	id, err := strconv.ParseInt(chi.URLParam(r, "id"), 10, 64)
 -	if err != nil {
 +	if err != nil || id <= 0 {
  		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "")
  		return
+ 	}
++
 +	// Existence + kind match. Issues and PRs share the issues table;
 +	// the kind column distinguishes. Mismatched kind (e.g. /pr/<issue-id>)
 +	// is treated as not-found, same as a non-existent id.
 +	issue, err := issuesdb.New().GetIssueByID(r.Context(), h.d.Pool, id)
 +	if err != nil {
 +		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
 +		return
 +	}
 +	wantKind := issuesdb.IssueKindIssue
 +	if kindStr == "pr" {
 +		wantKind = issuesdb.IssueKindPr
 +	}
 +	if issue.Kind != wantKind {
 +		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
 +		return
 +	}
++
 +	// Visibility — viewer must be able to read the parent repo.
 +	repo, err := reposdb.New().GetRepoByID(r.Context(), h.d.Pool, issue.RepoID)
 +	if err != nil {
 +		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
 +		return
 +	}
 +	pdeps := policy.Deps{Pool: h.d.Pool}
 +	if !policy.IsVisibleTo(r.Context(), pdeps, viewer.PolicyActor(), policy.NewRepoRefFromRepo(repo)) {
 +		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
 +		return
 +	}
++
  	reason := "manual"
  	if !subscribed {
  		reason = "manual_unsubscribe"
  		h.d.Logger.WarnContext(r.Context(), "notifications: thread action",
  			"kind", kindStr, "id", id, "subscribed", subscribed, "error", err)
+ 	}
 -	// Bounce back to the thread the viewer was on. Best-effort: when
 -	// the Referer is missing, fall back to /notifications.
 -	dest := r.Header.Get("Referer")
 -	if dest == "" {
 -		dest = "/notifications"
 -	}
 -	http.Redirect(w, r, dest, http.StatusSeeOther)
 +	http.Redirect(w, r, notificationReturnPath(r), http.StatusSeeOther)
+ }
  // unsubscribeViaToken handles the email's one-click List-Unsubscribe
  		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "")
  		return
+ 	}
 -	if !notif.VerifyUnsubscribe(h.d.UnsubscribeKey, uid, tk, tid, sig) {
 +	// SR2 L5: kind check before HMAC compare so an unknown kind
 +	// fast-fails without burning a constant-time compare.
 +	if tk != "issue" && tk != "pr" {
  		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "")
  		return
+ 	}
 -	if tk != "issue" && tk != "pr" {
 +	if !notif.VerifyUnsubscribe(h.d.UnsubscribeKey, uid, tk, tid, sig) {
  		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "")
  		return
+ 	}

internal/web/handlers/orgs/orgs.gomodified

+ }
  func (h *Handlers) renderNewForm(w http.ResponseWriter, r *http.Request, slug, errMsg string) {
 -	_ = h.d.Render.RenderPage(w, r, "orgs/new", map[string]any{
 +	if err := h.d.Render.RenderPage(w, r, "orgs/new", map[string]any{
  		"Title":     "New organization",
  		"CSRFToken": middleware.CSRFTokenForRequest(r),
  		"Slug":      slug,
  		"Error":     errMsg,
 -	})
 +	}); err != nil {
 +		h.d.Logger.ErrorContext(r.Context(), "orgs: render", "tpl", "orgs/new", "error", err)
 +	}
+ }
  // ─── people ────────────────────────────────────────────────────────
  			pending, _ = q.ListPendingInvitationsForOrg(r.Context(), h.d.Pool, org.ID)
+ 		}
+ 	}
 -	_ = h.d.Render.RenderPage(w, r, "orgs/people", map[string]any{
 +	if err := h.d.Render.RenderPage(w, r, "orgs/people", map[string]any{
  		"Title":     org.Slug + " · people",
  		"CSRFToken": middleware.CSRFTokenForRequest(r),
  		"Org":       org,
  		"Members":   members,
  		"Pending":   pending,
  		"IsOwner":   isOwner,
 -	})
 +	}); err != nil {
 +		h.d.Logger.ErrorContext(r.Context(), "orgs: render", "tpl", "orgs/people", "error", err)
 +	}
+ }
  func (h *Handlers) invite(w http.ResponseWriter, r *http.Request) {
  		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
  		return
+ 	}
 -	_ = h.d.Render.RenderPage(w, r, "orgs/invitation", map[string]any{
 +	if err := h.d.Render.RenderPage(w, r, "orgs/invitation", map[string]any{
  		"Title":      "Organization invitation",
  		"CSRFToken":  middleware.CSRFTokenForRequest(r),
  		"Org":        org,
  		"Invitation": inv,
  		"Token":      tok,
 -	})
 +	}); err != nil {
 +		h.d.Logger.ErrorContext(r.Context(), "orgs: render", "tpl", "orgs/invitation", "error", err)
 +	}
+ }
  func (h *Handlers) invitationAccept(w http.ResponseWriter, r *http.Request) {

internal/web/handlers/orgs/teams.gomodified

  	if !viewer.IsAnonymous() {
  		isOwner, _ = orgs.IsOwner(r.Context(), h.deps(), org.ID, viewer.ID)
+ 	}
 -	_ = h.d.Render.RenderPage(w, r, "orgs/teams_list", map[string]any{
 +	if err := h.d.Render.RenderPage(w, r, "orgs/teams_list", map[string]any{
  		"Title":     org.Slug + " · teams",
  		"CSRFToken": middleware.CSRFTokenForRequest(r),
  		"Org":       org,
  		"Teams":     visible,
  		"IsOwner":   isOwner,
 -	})
 +	}); err != nil {
 +		h.d.Logger.ErrorContext(r.Context(), "orgs: render", "tpl", "orgs/teams_list", "error", err)
 +	}
+ }
  // teamCreate handles POST /{org}/teams. Owner-only.
  	if !viewer.IsAnonymous() {
  		isOwner, _ = orgs.IsOwner(r.Context(), h.deps(), org.ID, viewer.ID)
+ 	}
 -	_ = h.d.Render.RenderPage(w, r, "orgs/team_view", map[string]any{
 +	if err := h.d.Render.RenderPage(w, r, "orgs/team_view", map[string]any{
  		"Title":     string(org.Slug) + "/" + string(team.Slug),
  		"CSRFToken": middleware.CSRFTokenForRequest(r),
  		"Org":       org,
  		"Members":   members,
  		"Repos":     repos,
  		"IsOwner":   isOwner,
 -	})
 +	}); err != nil {
 +		h.d.Logger.ErrorContext(r.Context(), "orgs: render", "tpl", "orgs/team_view", "error", err)
 +	}
+ }
  // teamMemberAddRemove handles POST .../members. Form action=add|remove.