rick/rosterchirp-dev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v0.11.9 fixed tenant isolation bug

Browse Source
This commit is contained in:
Ricky Stretch
2026-03-21 12:53:00 -04:00
parent e0e800012c
commit c5a8d728d2
8 changed files with 85 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
backend/src/routes/groups.js
View File

@@ -10,16 +10,19 @@ function deleteImageFile(imageUrl) {
catch (e) { console.warn('[Groups] Could not delete image:', e.message); }
}
// Schema-aware room name helper
const R = (schema, type, id) => `${schema}:${type}:${id}`;
module.exports = (io) => {
async function emitGroupNew(schema, io, groupId) {
const group = await queryOne(schema, 'SELECT * FROM groups WHERE id=$1', [groupId]);
if (!group) return;
if (group.type === 'public') {
io.emit('group:new', { group });
io.to(R(schema, 'schema', 'all')).emit('group:new', { group });
} else {
const members = await query(schema, 'SELECT user_id FROM group_members WHERE group_id=$1', [groupId]);
for (const m of members) io.to(`user:${m.user_id}`).emit('group:new', { group });
for (const m of members) io.to(R(schema, 'user', m.user_id)).emit('group:new', { group });
}
}
@@ -32,7 +35,7 @@ async function emitGroupUpdated(schema, io, groupId) {
} else {
uids = await query(schema, 'SELECT user_id FROM group_members WHERE group_id=$1', [groupId]);
}
for (const m of uids) io.to(`user:${m.user_id}`).emit('group:updated', { group });
for (const m of uids) io.to(R(schema, 'user', m.user_id)).emit('group:updated', { group });
}
// GET all groups for current user
@@ -240,9 +243,9 @@ router.post('/:id/members', authMiddleware, async (req, res) => {
[mr.rows[0].id]
);
sysMsg.reactions = [];
io.to(`group:${group.id}`).emit('message:new', sysMsg);
io.in(`user:${userId}`).socketsJoin(`group:${group.id}`);
io.to(`user:${userId}`).emit('group:new', { group });
io.to(R(req.schema,'group',group.id)).emit('message:new', sysMsg);
io.in(R(req.schema,'user',userId)).socketsJoin(R(req.schema,'group',group.id));
io.to(R(req.schema,'user',userId)).emit('group:new', { group });
res.json({ success: true });
} catch (e) { res.status(500).json({ error: e.message }); }
});
@@ -276,9 +279,9 @@ router.delete('/:id/members/:userId', authMiddleware, async (req, res) => {
[mr.rows[0].id]
);
sysMsg.reactions = [];
io.to(`group:${group.id}`).emit('message:new', sysMsg);
io.in(`user:${targetId}`).socketsLeave(`group:${group.id}`);
io.to(`user:${targetId}`).emit('group:deleted', { groupId: group.id });
io.to(R(req.schema,'group',group.id)).emit('message:new', sysMsg);
io.in(R(req.schema,'user',targetId)).socketsLeave(R(req.schema,'group',group.id));
io.to(R(req.schema,'user',targetId)).emit('group:deleted', { groupId: group.id });
res.json({ success: true });
} catch (e) { res.status(500).json({ error: e.message }); }
});
@@ -302,9 +305,9 @@ router.delete('/:id/leave', authMiddleware, async (req, res) => {
[mr.rows[0].id]
);
sysMsg.reactions = [];
io.to(`group:${group.id}`).emit('message:new', sysMsg);
io.in(`user:${userId}`).socketsLeave(`group:${group.id}`);
io.to(`user:${userId}`).emit('group:deleted', { groupId: group.id });
io.to(R(req.schema,'group',group.id)).emit('message:new', sysMsg);
io.in(R(req.schema,'user',userId)).socketsLeave(R(req.schema,'group',group.id));
io.to(R(req.schema,'user',userId)).emit('group:deleted', { groupId: group.id });
if (group.is_direct) {
const remaining = await queryOne(req.schema, 'SELECT user_id FROM group_members WHERE group_id=$1 LIMIT 1', [group.id]);
if (remaining) await exec(req.schema, 'UPDATE groups SET owner_id=$1, updated_at=NOW() WHERE id=$2', [remaining.user_id, group.id]);
@@ -340,7 +343,7 @@ router.delete('/:id', authMiddleware, async (req, res) => {
const imageMessages = await query(req.schema, 'SELECT image_url FROM messages WHERE group_id=$1 AND image_url IS NOT NULL', [group.id]);
await exec(req.schema, 'DELETE FROM groups WHERE id=$1', [group.id]);
for (const msg of imageMessages) deleteImageFile(msg.image_url);
for (const uid of members) io.to(`user:${uid}`).emit('group:deleted', { groupId: group.id });
for (const uid of members) io.to(R(req.schema,'user',uid)).emit('group:deleted', { groupId: group.id });
res.json({ success: true });
} catch (e) { res.status(500).json({ error: e.message }); }
});