From 5f548e134d96ab243f73a6dfd1e1fe6d5d94c640 Mon Sep 17 00:00:00 2001
From: Elias Kohout <elias@kohout.de>
Date: Fri, 12 Jun 2026 16:42:37 +0200
Subject: [PATCH] fix: check write permission on explicit namespace in Add()

---
 src/service/node_service_impl.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/service/node_service_impl.go b/src/service/node_service_impl.go
index 3c06281..61884a9 100644
--- a/src/service/node_service_impl.go
+++ b/src/service/node_service_impl.go
@@ -499,6 +499,9 @@ func (s *nodeServiceImpl) Add(input AddInput) (*models.Node, error) {
 			if err != nil {
 				return err
 			}
+			if input.Namespace != "" && !pc.canWrite(nsID) {
+				return fmt.Errorf("permission denied: no write access to namespace %q", input.Namespace)
+			}
 			ownerID = nsID
 		}
 		if err := st.AddRel(ownerID, string(models.RelHasOwnership), id); err != nil {