vvzvlad/gitmost
1
0
Fork 0
Code Issues 14 Pull Requests 12 Packages Projects Releases Activity
Files
71fc58dbedc27e4b61ad84e5172464269e4405d2
gitmost/apps/server
History
claude code agent 227 71fc58dbed harden(page-templates): throttle lookup/toggle; workspace-scope ref writes 
Release-cycle review: POST /pages/template/lookup had only JwtAuthGuard and the
embed depth cap was client-only, so a scripted client could drive heavy
full-content fan-out (access control holds per-id, but a cost/DoS gap). And
page_template_references rows were written for any sourcePageId with no
workspace check at sync time (no leak today since lookup re-checks access, but
the graph could accumulate cross-space rows).

- Apply the standard per-user throttler (PAGE_TEMPLATE_THROTTLER, 30/min) to
  /pages/template/lookup and /pages/toggle-template (mirrors ai-chat); auth +
  the toggle's validateCanEdit CASL are unchanged.
- syncPageTemplateReferences / insertTemplateReferencesForPages now restrict
  inserts to in-workspace source ids (filterInWorkspaceSourceIds, workspace +
  not-deleted scoped, trx-aware) and still delete stale out-of-workspace rows
  (self-heal). SECURITY comment: the ref table is NOT access-filtered; every
  consumer must permission-filter at read time (as lookupTemplate does).
- Tests: lookup access exercises the REAL filterViewerAccessiblePageIds
  (no_access / cross-workspace excluded / accessible+comment-stripped / <=50);
  toggle controller CASL (cannot-edit -> Forbidden, flag not flipped); ref-sync
  excludes cross-workspace and keeps in-workspace.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-20 15:16:15 +03:00
..
src
harden(page-templates): throttle lookup/toggle; workspace-scope ref writes
2026-06-20 15:16:15 +03:00
test
feat(ee): page-level access/permissions (#1971)
2026-02-26 19:49:10 +00:00
.dockerignore
fixes
2024-06-07 17:29:34 +01:00
.gitignore
fixes
2024-06-07 17:29:34 +01:00
.prettierrc
switch to nx monorepo
2024-01-09 18:58:26 +01:00
eslint.config.mjs
chore: fix linting (#544)
2024-12-09 14:51:31 +00:00
nest-cli.json
switch to nx monorepo
2024-01-09 18:58:26 +01:00
package.json
feat(editor): page templates - live whole-page embed (MVP)
2026-06-20 10:05:00 +03:00
README.md
switch to nx monorepo
2024-01-09 18:58:26 +01:00
tsconfig.build.json
switch to nx monorepo
2024-01-09 18:58:26 +01:00
tsconfig.json
feat: cloud and ee (#805)
2025-03-06 13:38:37 +00:00

README.md

Nest Logo

A progressive Node.js framework for building efficient and scalable server-side applications.

NPM Version Package License NPM Downloads CircleCI Coverage Discord Backers on Open Collective Sponsors on Open Collective Support us

Description

Nest framework TypeScript starter repository.

Installation

$ npm install

Running the app

# development
$ npm run start

# watch mode
$ npm run start:dev

# production mode
$ npm run start:prod

Migrations

# This creates a new empty migration file named 'init'
$ npm run migration:create --name=init

# Generates 'init' migration file from existing entities to update the database schema
$ npm run migration:generate --name=init

# Runs all pending migrations to update the database schema
$ npm run migration:run

# Reverts the last executed migration
$ npm run migration:revert

# Reverts all migrations
$ npm run migration:revert

# Shows the list of executed and pending migrations
$ npm run migration:show



## Test

```bash
# unit tests
$ npm run test

# e2e tests
$ npm run test:e2e

# test coverage
$ npm run test:cov

Support

Nest is an MIT-licensed open source project. It can grow thanks to the sponsors and support by the amazing backers. If you'd like to join them, please read more here.

Stay in touch

License

Nest is MIT licensed.

Reference in New Issue View Git Blame Copy Permalink