UMBRA

rohskiddo/UMBRA

Fork 0

Commit Graph

Author	SHA1	Message	Date
Kyle Pope	206144d20d	Fix 2 pentest findings: unlock permission check + permanent lock preservation SC-01: unlock_event now verifies caller has access to the calendar before revealing lock state. Previously any authenticated user could probe event existence via 404/204/403 response differences. SC-02: acquire_lock no longer overwrites permanent locks. If the owner holds a permanent lock and clicks Edit, the existing lock is returned as-is instead of being downgraded to a 5-minute temporary lock. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-06 23:37:05 +08:00
Kyle Pope	e6e81c59e7	Phase 2: Shared calendars backend core + QA fixes Router: invite/accept/reject flow, membership CRUD, event locking (timed + permanent), sync endpoint, local color override. Services: permission hierarchy, atomic lock acquisition, disconnect cascade. Events: shared calendar scoping, permission/lock enforcement, updated_by tracking. Admin: sharing-stats endpoint. nginx: rate limits for invite + sync. QA fixes: C-01 (read-only invite gate), C-02 (updated_by in this_and_future), W-01 (pre-commit response build), W-02 (owned calendar short-circuit), W-03 (sync calendar_ids cap), W-04 (N+1 owner name batch fetch). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-06 04:46:17 +08:00

Author

SHA1

Message

Date

Kyle Pope

206144d20d

Fix 2 pentest findings: unlock permission check + permanent lock preservation

SC-01: unlock_event now verifies caller has access to the calendar before
revealing lock state. Previously any authenticated user could probe event
existence via 404/204/403 response differences.

SC-02: acquire_lock no longer overwrites permanent locks. If the owner holds
a permanent lock and clicks Edit, the existing lock is returned as-is instead
of being downgraded to a 5-minute temporary lock.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-06 23:37:05 +08:00

Kyle Pope

e6e81c59e7

Phase 2: Shared calendars backend core + QA fixes

Router: invite/accept/reject flow, membership CRUD, event locking
(timed + permanent), sync endpoint, local color override.
Services: permission hierarchy, atomic lock acquisition, disconnect cascade.
Events: shared calendar scoping, permission/lock enforcement, updated_by tracking.
Admin: sharing-stats endpoint. nginx: rate limits for invite + sync.

QA fixes: C-01 (read-only invite gate), C-02 (updated_by in this_and_future),
W-01 (pre-commit response build), W-02 (owned calendar short-circuit),
W-03 (sync calendar_ids cap), W-04 (N+1 owner name batch fetch).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-06 04:46:17 +08:00

2 Commits