fix(security): mod-permission gate for App Review (cm-devvit 0.3.x)#34
Merged
Conversation
… mod-gates Pulls the requireModerator() failure-to-toast mapping out of forms.ts into src/lib/authFailToast.ts so menu.ts can reuse the exact wording (including the Polish #10 transient-vs-terminal split). One source of truth, same anti-drift rationale as openaiErrors.ts. No behavior change. Pinned by tests/lib/authFailToast.test.ts. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Reddit App Review rejected 0.3.0: mod-only actions must check mod perms server-side, not rely on the menu forUserType. The six /internal/menu/* handlers are HTTP-reachable by any Observatory custom-post viewer, so a non-mod could POST them directly (reload-config publishes config, recent-actions creates a post). All six now call requireModerator() before acting and return a Mod-only toast otherwise; the two action handlers resolve the sub via auth.sub. Verified: 923/923 tests including new tests/routes/menu-auth.test.ts; tsc + lint clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…rns 403 A non-mod opening the Observatory post previously saw an empty shell plus a misleading 'Telemetry API unreachable' banner (no data leaked, but it reads as a bug). The client now renders a dedicated 'Moderators only' notice when /api/recent or /api/stats reply 403, gated strictly on a forbidden flag (status 403) so a transient 503/500 for a real mod still shows the retry banner. Pinned by tests/client/app.test.tsx + api.test.ts. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
New 'Moderator permissions and data access' section (App Review bullet 4): every gated surface, the binary is-a-moderator gate, the intentional any-mod-can-edit-config exception (analogous to AutoModerator), and the safe unauth exceptions (/api/health, ?demo=1, platform-only trigger/cron). FAQ 'Can other mods edit the config?' corrected to cover the in-app editor path. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…entry Verbatim rejection + tiered findings + bullet-by-bullet status in docs/submission/app-review-feedback-2026-06-07.md; Unreleased changelog entry. Second-model adversarial audit (gemini-agent, Codex CLI unavailable) confirmed every mod-data/mod-action endpoint is gated and fails closed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'; | ||
| import { render, screen, waitFor, act } from '@testing-library/react'; | ||
| import { render, screen, waitFor, act, within } from '@testing-library/react'; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Reddit App Review rejected cm-devvit 0.3.0 on mod-permission handling (2026-06-07). This PR closes the gap and documents the permission model so the app can be re-submitted.
Reviewer's four bullets, addressed
forUserType: "moderator": already true for all six items indevvit.json(now documented)./api/*endpoints were already mod-gated; the client now shows an explicit "Moderators only" notice on 403 instead of a misleading error banner./internal/menu/*handlers now callrequireModerator()server-side. They previously relied only onforUserType, but the endpoints are HTTP-reachable by any custom-post viewer.Commits (atomic)
refactor(auth): extract sharedauthFailToasthelperfix(security): verify moderator on every mod-menu handlerfeat(client): moderators-only gate on 403docs(readme): permission-model section + FAQ fixdocs: App Review feedback response + changelogVerification
npm run type-check+npm run lint: cleannpm run test: 923/923 pass (adds menu-auth, authFailToast, client 403-gate coverage)/api/healthliveness probe and platform-only trigger/cron routes.After merge
Re-submit via
npm run launchfrom main (ships 0.3.1 for review). r/cm_devvit_test is public with the Observatory post visible, so the reviewer can test.🤖 Generated with Claude Code