fix: check write permission on explicit namespace in Add()

fix: remove global readability of namespace nodes
fix: resolve AX_TOKEN before config user in getNodeService
2026-06-12 16:42:37 +02:00 · 2026-06-12 16:09:51 +02:00 · 2026-06-12 15:53:09 +02:00
2 changed files with 24 additions and 7 deletions
@@ -12,6 +12,21 @@ import (
 )
 func getNodeService() (service.NodeService, error) {
 	if token := os.Getenv("AX_TOKEN"); token != "" {
 		if cfg.Remote.Host != "" {
 			base := fmt.Sprintf("http://%s:%d", cfg.Remote.Host, cfg.Remote.Port)
 			return service.NewRemoteNodeService(base, ""), nil
 		}
 		st, err := store.FindAndOpenSQLiteStore()
 		if err != nil {
 			return nil, err
 		}
 		agentID := service.LookupAgentToken(st, token)
 		if agentID == "" {
 			return nil, fmt.Errorf("invalid AX_TOKEN: agent not found")
 		}
 		return service.NewLocalNodeService(st, agentID), nil
 	}
 	user := cfg.User
 	if user == "" {
 		return nil, fmt.Errorf("no user configured: run 'ax user set <username>' first")
@@ -185,14 +185,13 @@ func (s *nodeServiceImpl) getPermContext() (*permContext, error) {
 		}
 	}
-	// User and namespace nodes are globally readable (they represent identities,
+	// User nodes are globally readable (they represent identities,
 	// and anyone can reference or assign to them).
-	for _, nodeType := range []string{"user", "namespace"} {
+	// Namespace nodes are NOT globally readable; access must be explicitly granted.
-		nodes, _ := s.store.FindNodes([]*models.Rel{{Type: models.RelType("_type::" + nodeType), Target: ""}})
+	nodes, _ := s.store.FindNodes([]*models.Rel{{Type: "_type::user", Target: ""}})
-		for _, n := range nodes {
+	for _, n := range nodes {
-			if pc.levels[n.ID] < permRead {
+		if pc.levels[n.ID] < permRead {
-				pc.levels[n.ID] = permRead
+			pc.levels[n.ID] = permRead
 			}
 		}
 	}
@@ -500,6 +499,9 @@ func (s *nodeServiceImpl) Add(input AddInput) (*models.Node, error) {
 			if err != nil {
 				return err
 			}
 			if input.Namespace != "" && !pc.canWrite(nsID) {
 				return fmt.Errorf("permission denied: no write access to namespace %q", input.Namespace)
 			}
 			ownerID = nsID
 		}
 		if err := st.AddRel(ownerID, string(models.RelHasOwnership), id); err != nil {
Author	SHA1	Message	Date
eliaskohout	5f548e134d	fix: check write permission on explicit namespace in Add() Build and Publish Arch Package / build-arch (amd64, x86_64) (push) Successful in 48s Details Build and Publish Arch Package / build-arch (arm64, aarch64) (push) Successful in 42s Details Build and Publish Docker Image / build-apk (amd64, x86_64) (push) Successful in 44s Details Build and Publish Docker Image / build-apk (arm64, aarch64) (push) Successful in 52s Details Build and Publish Docker Image / build-and-push-docker (push) Successful in 10m47s Details	2026-06-12 16:42:37 +02:00
eliaskohout	61c8867742	fix: remove global readability of namespace nodes Build and Publish Arch Package / build-arch (amd64, x86_64) (push) Successful in 50s Details Build and Publish Arch Package / build-arch (arm64, aarch64) (push) Successful in 43s Details Build and Publish Docker Image / build-apk (amd64, x86_64) (push) Successful in 44s Details Build and Publish Docker Image / build-apk (arm64, aarch64) (push) Successful in 55s Details Build and Publish Docker Image / build-and-push-docker (push) Successful in 10m46s Details	2026-06-12 16:09:51 +02:00
eliaskohout	c1f196640b	fix: resolve AX_TOKEN before config user in getNodeService Build and Publish Arch Package / build-arch (amd64, x86_64) (push) Successful in 44s Details Build and Publish Arch Package / build-arch (arm64, aarch64) (push) Successful in 49s Details Build and Publish Docker Image / build-apk (amd64, x86_64) (push) Successful in 44s Details Build and Publish Docker Image / build-apk (arm64, aarch64) (push) Successful in 44s Details Build and Publish Docker Image / build-and-push-docker (push) Successful in 10m47s Details	2026-06-12 15:53:09 +02:00