@@ -67,6 +67,12 @@ export class PageTemplateController {
|
||||
throw new NotFoundException('Page not found');
|
||||
}
|
||||
|
||||
if (page.workspaceId !== user.workspaceId) {
|
||||
// Defense-in-depth: never act on a page outside the caller's workspace.
|
||||
// Use NotFound (not Forbidden) to avoid leaking cross-workspace existence.
|
||||
throw new NotFoundException('Page not found');
|
||||
}
|
||||
|
||||
await this.pageAccessService.validateCanEdit(page, user);
|
||||
|
||||
const isTemplate =
|
||||
|
||||
@@ -317,6 +317,7 @@ export class TransclusionService {
|
||||
if (toDelete.length > 0) {
|
||||
await this.pageTemplateReferencesRepo.deleteByReferenceAndSources(
|
||||
referencePageId,
|
||||
workspaceId,
|
||||
toDelete,
|
||||
trx,
|
||||
);
|
||||
|
||||
@@ -38,12 +38,15 @@ export class PageTemplateReferencesRepo {
|
||||
|
||||
async deleteByReferenceAndSources(
|
||||
referencePageId: string,
|
||||
workspaceId: string,
|
||||
sourcePageIds: string[],
|
||||
trx?: KyselyTransaction,
|
||||
): Promise<void> {
|
||||
if (sourcePageIds.length === 0) return;
|
||||
await dbOrTx(this.db, trx)
|
||||
.deleteFrom('pageTemplateReferences')
|
||||
// Defense-in-depth: scope deletes to the caller's workspace.
|
||||
.where('workspaceId', '=', workspaceId)
|
||||
.where('referencePageId', '=', referencePageId)
|
||||
.where('sourcePageId', 'in', sourcePageIds)
|
||||
.execute();
|
||||
|
||||
Reference in New Issue
Block a user