User Request
Type: bug
Target: Console Application
Submitted by: @aashu2006
Console Request ID: 9c0a071f-5fdc-40f7-be9b-dff697ba807a
Description
What happened:
In pkg/api/handlers/cards.go:282-328, RecordFocus has no h.requireEditorOrAdmin(c) check despite writing to both card_focus and the event log. Every other mutating card operation (CreateCard, UpdateCard, DeleteCard, MoveCard) calls requireEditorOrAdmin first. The file's own comment at lines 35-37 states viewers must not be able to mutate cards via the API.
What I expected:
RecordFocus should call h.requireEditorOrAdmin(c) before performing any writes, consistent with all other mutating card operations.
Steps to reproduce:
- Log in as a viewer-role user
- Call the RecordFocus endpoint
- Observe the write succeeds despite the viewer role
This issue was automatically created from the KubeStellar Console.
User Request
Type: bug
Target: Console Application
Submitted by: @aashu2006
Console Request ID: 9c0a071f-5fdc-40f7-be9b-dff697ba807a
Description
What happened:
In
pkg/api/handlers/cards.go:282-328,RecordFocushas noh.requireEditorOrAdmin(c)check despite writing to bothcard_focusand the event log. Every other mutating card operation (CreateCard,UpdateCard,DeleteCard,MoveCard) callsrequireEditorOrAdminfirst. The file's own comment at lines 35-37 states viewers must not be able to mutate cards via the API.What I expected:
RecordFocusshould callh.requireEditorOrAdmin(c)before performing any writes, consistent with all other mutating card operations.Steps to reproduce:
This issue was automatically created from the KubeStellar Console.