Skip to content

Fix tenant scoping in code completion and milestones#99

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-7763
Draft

Fix tenant scoping in code completion and milestones#99
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/critical-bug-investigation-7763

Conversation

@cursor

@cursor cursor Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Bug and impact

  • /api/code-completion was reachable without route-level auth and its DB fallback selected reusable snippets from all repo_files, exposing other users' file paths/summaries through selectedSnippets and LLM context.
  • Project milestone PATCH/DELETE authenticated the caller but mutated by milestone id alone, allowing cross-user milestone modification/deletion if a milestone UUID was known.

Root cause

  • Code completion fallback did not join through repositories.user_id, and API middleware only protects /dashboard/*.
  • Milestone mutation helpers did not constrain updates/deletes by URL project id and project owner.

Fix

  • Require getCurrentUser() for code completion POST/PUT and scope fallback snippets to repositories owned by the authenticated user.
  • Pass project id and user id into milestone update/delete helpers and enforce ownership in SQL joins; return 404 when scoped mutation matches nothing.

Validation

  • pnpm exec tsc --noEmit
  • pnpm exec eslint app/api/code-completion/route.ts app/api/projects/[id]/milestones/[milestoneId]/route.ts lib/queries.ts (passes with one pre-existing warning in lib/queries.ts)
  • Live dev-server curl confirmed unauthenticated POST /api/code-completion and PATCH /api/projects/:id/milestones/:milestoneId now return 401 Unauthorized.
Open in Web View Automation 

Co-authored-by: Cole Collins <DealPatrol@users.noreply.github.com>
@vercel

vercel Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
repo-app-architect Ready Ready Preview, Comment Jun 20, 2026 11:07am
repofuse Ready Ready Preview, Comment, Open in v0 Jun 20, 2026 11:07am
v0-repo-app-architect Ready Ready Preview, Comment, Open in v0 Jun 20, 2026 11:07am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant