fix(events): enforce authorization for private event and attendee access #335
Open
Ridanshi wants to merge 1 commit into
Open
fix(events): enforce authorization for private event and attendee access #335Ridanshi wants to merge 1 commit into
Ridanshi wants to merge 1 commit into
Conversation
…v-Card#300) Public events remain fully accessible without authentication. Private events now require the caller to be the organizer or a confirmed attendee; unauthenticated callers receive 401 and authenticated non-members receive 403. Changes: - add getRequestUserId() soft-auth helper (returns null gracefully, never throws, used only on read endpoints) - add canAccessEvent() returns 'allowed' | 'unauthenticated' | 'forbidden' so callers can issue semantically correct 401 vs 403 - GET /api/events/:slug — visibility enforced after DB fetch; isPublic field intentionally excluded from response body - GET /api/events/:slug/attendees — visibility enforced before returning any attendee data - Routes registered with /api/events prefix in app.ts (removes the double-prefix issue from the prior implementation) - 46 tests added covering public access, private 401/403, organizer access, attendee access, no-sensitive-field leakage, and unchanged pagination/sorting behaviour
Ridanshi
force-pushed
the
fix/private-event-visibility
branch
from
ff7f939 to
cebe90a
Compare
Harxhit
reviewed
May 26, 2026
| } | ||
| }; | ||
|
|
||
| type EventWithAttendees = Prisma.EventGetPayload<{ |
Collaborator
There was a problem hiding this comment.
Rather than this can you use type.
Harxhit
reviewed
May 26, 2026
| * Returns null for unauthenticated requests or invalid/expired tokens. | ||
| * Never throws — safe to call on any request regardless of auth state. | ||
| */ | ||
| async function getRequestUserId(request: FastifyRequest): Promise<string | null> { |
Collaborator
There was a problem hiding this comment.
Can you make this util function please?
Harxhit
reviewed
May 26, 2026
| }>, | ||
| reply: FastifyReply, | ||
| ) => { | ||
| let decoded: { id: string }; |
Collaborator
There was a problem hiding this comment.
You made a function why didn't used it here?
Harxhit
reviewed
May 26, 2026
| request: FastifyRequest<{ Params: { slug: string } }>, | ||
| reply: FastifyReply, | ||
| ) => { | ||
| let decoded: { id: string }; |
Collaborator
|
The POST /api/events/:slug/join handler fetches the event and creates an attendee record with no check on event.endDate. Users can successfully join an event that ended days or months ago, corrupting attendance data and attendance counts. Also could you please add lint and tests proofs in pr descriptions. |
Harxhit
added
the
gssoc:approved
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #300
Summary
Fixes a privacy and authorization flaw where private event data and attendee information were accessible to unauthenticated and unauthorized users.
Previously:
GET /api/events/:slugGET /api/events/:slug/attendeesreturned private event metadata and attendee profile information without enforcing:
This allowed unrestricted enumeration of private events and attendee identities.
Authorization Model Implemented
Introduced centralized authorization helpers: