fix: check write permission on explicit namespace in Add()

src/service/node_service_impl.go

@@ -185,14 +185,13 @@ func (s *nodeServiceImpl) getPermContext() (*permContext, error) {
 		}
 	}
 
-	// User and namespace nodes are globally readable (they represent identities,
+	// User nodes are globally readable (they represent identities,
 	// and anyone can reference or assign to them).
-	for _, nodeType := range []string{"user", "namespace"} {
+	// Namespace nodes are NOT globally readable; access must be explicitly granted.
-		nodes, _ := s.store.FindNodes([]*models.Rel{{Type: models.RelType("_type::" + nodeType), Target: ""}})
+	nodes, _ := s.store.FindNodes([]*models.Rel{{Type: "_type::user", Target: ""}})
-		for _, n := range nodes {
+	for _, n := range nodes {
-			if pc.levels[n.ID] < permRead {
+		if pc.levels[n.ID] < permRead {
-				pc.levels[n.ID] = permRead
+			pc.levels[n.ID] = permRead
-			}
 		}
 	}
 
@@ -500,6 +499,9 @@ func (s *nodeServiceImpl) Add(input AddInput) (*models.Node, error) {
 			if err != nil {
 				return err
 			}
+			if input.Namespace != "" && !pc.canWrite(nsID) {
+				return fmt.Errorf("permission denied: no write access to namespace %q", input.Namespace)
+			}
 			ownerID = nsID
 		}
 		if err := st.AddRel(ownerID, string(models.RelHasOwnership), id); err != nil {