Skip to content

Fix destructive collection permissions for shared users#3

Draft
cursor[bot] wants to merge 2 commits intomainfrom
cursor/critical-bug-inspection-866e
Draft

Fix destructive collection permissions for shared users#3
cursor[bot] wants to merge 2 commits intomainfrom
cursor/critical-bug-inspection-866e

Conversation

@cursor
Copy link
Copy Markdown

@cursor cursor bot commented Apr 2, 2026

Summary

  • fixed a critical authorization bug where users with shared/grant-only access could rename or delete entire collections
  • tightened canRenameOrDeleteCollection to allow destructive operations only for owner and creator access states
  • added regression tests in src/server/access/collections.test.ts to ensure grants/non-members cannot perform destructive actions

Bug and impact

Grant recipients (users shared onto a collection but not owners/creators) were treated as eligible for rename/delete. Those operations can move or remove all objects under a collection prefix, causing major user-facing breakage and potential data loss.

Root cause

canRenameOrDeleteCollection returned state.kind !== "none", which accidentally granted destructive privileges to grant state.

Fix and validation

  • changed permission check to state.kind === "owner" || state.kind === "creator"
  • added unit tests covering allowed and denied states
  • validated with test run:
    • npm test ✅ (4 files, 20 tests passing)
Open in Web View Automation 

cursoragent and others added 2 commits April 2, 2026 11:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cursoragent