Skip to content

#52 fix: enforce membership check before deleting/updating shared brain #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

#52 fix: enforce membership check before deleting/updating shared brain #52

wants to merge 3 commits into from

Conversation

kstij
Copy link

@kstij kstij commented Aug 8, 2025

Summary

This PR fixes an authorization bypass vulnerability that allowed any user to delete or update a shared brain by setting isShare: true and providing the brain's ID without verifying membership.

Vulnerability Details

Previously, the deleteBrain function did not confirm that the requesting user was a member of the shared brain. This allowed unauthorized users to perform destructive actions on shared resources.

Fix

  • Added a membership check when isShare is true:
    • Queries ShareBrain for a matching record of the brain and user.
    • Throws an unauthorized error if no match is found.
    • Proceeds with deletion/update only for authorized members.

@Jay-Thesia-Weam
Copy link
Collaborator

@kstij Deleting the archive brain permanently (Hard delete), we only remove it from brain table,
we have to also remove it from sharebrain and ChatMember table, Add this enhancement after that do the PR again.

kstij added 2 commits August 15, 2025 00:20
@kstij
Enhance brain deletion with proper cleanup of ShareBrain and ChatMemb…
81ca36b 
…er records

- Add cleanup of ShareBrain records when permanently deleting a brain
- Add cleanup of ChatMember records when permanently deleting a brain
- Import ChatMember model in brain service
- Add error handling for cleanup operations
- Enhance both single brain deletion and bulk deletion
- Maintain backward compatibility for soft deletes
@kstij
Merge branch 'weam-ai:main' into fix/shared-brain-authorization-bypass
1c4683c
@kstij
Copy link
Author

kstij commented Aug 14, 2025

Enhancement Complete: Added proper cleanup of related records when permanently deleting brains

Changes made:

  • Added cleanup of ShareBrain records when permanently deleting a brain
  • Added cleanup of ChatMember records when permanently deleting a brain
  • Imported ChatMember model in brain service
  • Added error handling for cleanup operations
  • Enhanced both single brain deletion and bulk deletion
  • Maintained backward compatibility for soft deletes

What this fixes:

  • Prevents orphaned ShareBrain records when brains are permanently deleted
  • Prevents orphaned ChatMember records when brains are permanently deleted
  • Ensures data consistency across the database
  • Addresses the moderator's feedback about proper cleanup

@kstij kstij changed the title fix: enforce membership check before deleting/updating shared brain #52 fix: enforce membership check before deleting/updating shared brain Aug 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chsjd chsjd Awaiting requested review from chsjd

@deepuwp deepuwp Awaiting requested review from deepuwp

@Jay-Thesia-Weam Jay-Thesia-Weam Awaiting requested review from Jay-Thesia-Weam

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kstij @Jay-Thesia-Weam