Enhance chat creation endpoint to check project access using user email#2
Open
ryanmcdonough wants to merge 1 commit intowillchen96:mainfrom
Open
Enhance chat creation endpoint to check project access using user email#2ryanmcdonough wants to merge 1 commit intowillchen96:mainfrom
ryanmcdonough wants to merge 1 commit intowillchen96:mainfrom
Conversation
nwhitehouse
added a commit
to nwhitehouse/mike
that referenced
this pull request
May 7, 2026
Replaces the freeform <CITATIONS> JSON block with an explicit add_citation tool the model invokes per [N] marker. Tool calls are far more reliable on Olava than freeform output formats, mirroring the SLM-friendly pattern established by feat-005's multi-pass orchestrator. Legacy block parsing remains as a fallback so any model regression still surfaces citations. Frontend: replaces the browser-native title= tooltip with a styled hover popover (filename + page + serif quote). Fixes a same-doc rescroll bug where clicking citation willchen96#2 on an already-open doc tab kept the viewer on citation #1 — upsertTab now drops the prior initialScrollTop when the new mode has its own scroll target. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix Issue #1
Added an explicit authorisation check to POST /chat/create so chats can only be created against projects the caller can access.
In backend/src/routes/chat.ts, the route now reads userEmail from auth context and, when project_id is provided, calls checkProjectAccess(projectId, userId, userEmail, db) before insert.
If access is denied, the endpoint now returns 404 Project not found and does not write a chat row.
If access is allowed (owner or shared member), behaviour is unchanged and chat creation proceeds.
This closes the app-layer project spoofing vector where authenticated users could previously create chats under arbitrary existing project_id values.