Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(security): force:false in repair step + server-side project creation policy#283

Merged
rubenvdlinde merged 1 commit into
developmentfrom
fix/force-false-project-creation-policy
May 28, 2026
Merged

fix(security): force:false in repair step + server-side project creation policy#283
rubenvdlinde merged 1 commit into
developmentfrom
fix/force-false-project-creation-policy

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Summary

  • C2 InitializeSettings::run — change force: true back to force: false. The repair step must respect already-configured OR schema IDs and not overwrite operator customisations on every install/upgrade. PR fix: use force:false in repair step to prevent overwriting operator schema customisations #281 fixed this on main; this PR brings the fix to development.
  • H2 allow_project_creation is now enforced server-side as defence-in-depth:
    • SettingsService::canCurrentUserCreateProject() reads the policy key and returns false for non-admins when the setting is 'admins'
    • ProjectController::checkCreatePolicy() exposes GET /api/projects/check-create-policy (200 = allowed, 403 = forbidden); @NoAdminRequired — authenticated user call
    • ProjectCreationDialog::submit() calls the policy gate before delegating to OR so users who bypass the client-side canCreateProject guard still receive a 403

Test plan

  • PHP syntax: php -l on all modified PHP files — clean
  • force:false verified in InitializeSettings — no regression on fresh install (first run still imports because OR IDs are absent)
  • With allow_project_creation=admins: non-admin user's ProjectCreationDialog is blocked server-side (403)
  • With allow_project_creation=all (default): any authenticated user can still create projects

…ion policy (C2 + H2)

C2: InitializeSettings::run uses force:false (not force:true) so the repair
step respects already-configured OR schema IDs and does not overwrite
operator customisations on every install/upgrade. This was regressed on
development when the retrofit spec added force:true; main was already correct.

H2: allow_project_creation is now enforced server-side:
- SettingsService::canCurrentUserCreateProject() reads the policy config key
  and returns false for non-admins when the policy is 'admins'.
- ProjectController::checkCreatePolicy() exposes GET /api/projects/check-create-policy
  returning 200/403; requires @NoAdminRequired (authenticated user call).
- ProjectCreationDialog::submit() calls the policy gate before delegating to
  OR, so a user who bypasses the client-side canCreateProject guard still
  receives a 403 from the server.
@rubenvdlinde rubenvdlinde merged commit 8cd66d1 into development May 28, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant