Skip to content

CONV-310: Add API ownership guards#270

Merged
menvil merged 1 commit into
developfrom
feature/CONV-310-add-api-ownership-guards
Jun 3, 2026
Merged

CONV-310: Add API ownership guards#270
menvil merged 1 commit into
developfrom
feature/CONV-310-add-api-ownership-guards

Conversation

@menvil

@menvil menvil commented Jun 3, 2026

Copy link
Copy Markdown
Owner

Summary

  • Adds ApiOwnershipGuard with ensureFileOwner() and ensureConversionOwner() throwing AuthorizationException
  • Refactors FileController and ConversionController to use guard instead of abort_if
  • Extends ApiExceptionMapper to map 401/403/404 HttpExceptions to stable error codes (covers framework-converted exceptions)
  • Security tests verify cross-user access is blocked on all relevant endpoints

Test plan

  • File targets → 403 forbidden for non-owner
  • Estimate → 403 forbidden for non-owner file
  • Create conversion → 403 forbidden for non-owner file
  • Conversion status → 403 forbidden for non-owner
  • Conversion download → 403 forbidden for non-owner
  • composer test passes (593 tests)
  • composer lint passes

🤖 Generated with Claude Code


Summary by cubic

Adds a centralized API ownership guard to block cross-user access and standardizes auth errors to stable codes. Addresses CONV-310 by enforcing file/conversion ownership and simplifying controllers.

  • New Features

    • Added ApiOwnershipGuard with ensureFileOwner() and ensureConversionOwner() (throws AuthorizationException).
    • Extended ApiExceptionMapper to map 401/403/404 to codes: unauthorized/forbidden/not_found.
    • Security tests cover targets, estimate, create, status, and download for non-owner access.
  • Refactors

    • Replaced inline abort_if checks in FileController and ConversionController with the guard methods.

Written for commit 06c4fb2. Summary will update on new commits.

Review in cubic

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@menvil menvil merged commit 9a03b6f into develop Jun 3, 2026
1 check was pending
@coderabbitai

coderabbitai Bot commented Jun 3, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are limited based on label configuration.

🏷️ Required labels (at least one) (1)
  • release

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ccc2acb4-d07e-4be2-9d6a-995ff7208568

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/CONV-310-add-api-ownership-guards

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant