From 61c88677428bd671af7627398a75d317d6c7336f Mon Sep 17 00:00:00 2001
From: Elias Kohout <elias@kohout.de>
Date: Fri, 12 Jun 2026 16:09:51 +0200
Subject: [PATCH] fix: remove global readability of namespace nodes

---
 src/service/node_service_impl.go | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/service/node_service_impl.go b/src/service/node_service_impl.go
index 18f3cc9..3c06281 100644
--- a/src/service/node_service_impl.go
+++ b/src/service/node_service_impl.go
@@ -185,14 +185,13 @@ func (s *nodeServiceImpl) getPermContext() (*permContext, error) {
 		}
 	}
 
-	// User and namespace nodes are globally readable (they represent identities,
+	// User nodes are globally readable (they represent identities,
 	// and anyone can reference or assign to them).
-	for _, nodeType := range []string{"user", "namespace"} {
-		nodes, _ := s.store.FindNodes([]*models.Rel{{Type: models.RelType("_type::" + nodeType), Target: ""}})
-		for _, n := range nodes {
-			if pc.levels[n.ID] < permRead {
-				pc.levels[n.ID] = permRead
-			}
+	// Namespace nodes are NOT globally readable; access must be explicitly granted.
+	nodes, _ := s.store.FindNodes([]*models.Rel{{Type: "_type::user", Target: ""}})
+	for _, n := range nodes {
+		if pc.levels[n.ID] < permRead {
+			pc.levels[n.ID] = permRead
 		}
 	}