fix(paper): 策略候选 + 回测历史按账户隔离,堵跨租户泄露#132
Merged
Merged
Conversation
上线验证:test2 登录后看到其他用户的策略候选与回测历史。修复:1) backtest_runs 表加 account_id 列(0025) + list_recent/list_by_research/list_by_strategy 全链路过滤 + insert_run 写时带 account_id + runner 透传 2) strategy_candidates/list_candidates 加 owner_account_id 过滤,endpoint 从 _user 改为 user 并传 account_id_from_user(user)。886 测试全过。 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Deploying inalpha-web with
|
| Latest commit: |
675f06c
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://ebada2a7.inalpha-web.pages.dev |
| Branch Preview URL: | https://fix-cross-tenant-data-leaks.inalpha-web.pages.dev |
post_backtest_cv 与 post_backtest_sensitivity 不会写 backtest_runs,但 endpoint 签名已统一成 user+account_id 透传 runner/sensitivity,避免将来落表时忘了传。 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
新增两个 workflow 替代原有 Claude Code review 方案: - glm-review.yml:PR opened/synchronize 自动审查 diff,sticky comment 汇总 - glm.yml:PR/issue 中 @glm 触发对话互动 Authorization: Bearer 通过 GitHub Secret ZHIPUAI_API_KEY 注入。 非阻塞设计(continue-on-error),不影响 PR 合并。 Co-Authored-By: Claude <noreply@anthropic.com>
list_by_research/list_by_strategy/list_recent 之前用 f-string 拼接 where 变量,改用三元 clause + f-string 后 clause 只有三种可控取值,杜绝 SQL 注入可能。 Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
跨租户数据泄露修复
含两个不相关变更,凑在同个分支因中途加了 GLM workflow 忘记拆分支
1. fix(paper): 策略候选 + 回测按账户隔离
2. feat(ci): GLM-5.2 PR review + @glm 互动
ZHIPUAI_API_KEY已配置🤖 Generated with [Claude Code](https://claude.com/claude-code