Update privileged event filtering to respect ACL mode
Some checks failed
Go / build-and-release (push) Has been cancelled
Some checks failed
Go / build-and-release (push) Has been cancelled
Privileged events are now filtered based on ACL mode, allowing open access when ACL is "none." Added tests to verify behavior for different ACL modes, ensuring unauthorized and unauthenticated users can only access privileged events when explicitly permitted. Version bumped to v0.34.2.
This commit is contained in:
@@ -439,10 +439,12 @@ func (l *Listener) HandleReq(msg []byte) (err error) {
|
||||
// Event has private tag and user is authorized - continue to privileged check
|
||||
}
|
||||
|
||||
// Always filter privileged events based on kind, regardless of ACLMode
|
||||
// Filter privileged events based on kind when ACL is active
|
||||
// When ACL is "none", skip privileged filtering to allow open access
|
||||
// Privileged events should only be sent to users who are authenticated and
|
||||
// are either the event author or listed in p tags
|
||||
if kind.IsPrivileged(ev.Kind) && accessLevel != "admin" { // admins can see all events
|
||||
aclActive := acl.Registry.Active.Load() != "none"
|
||||
if kind.IsPrivileged(ev.Kind) && aclActive && accessLevel != "admin" { // admins can see all events
|
||||
log.T.C(
|
||||
func() string {
|
||||
return fmt.Sprintf(
|
||||
|
||||
Reference in New Issue
Block a user