VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/zddc/internal/handler
History
ZDDC fd4f03afc3 fix(policy): read-path ACL honors admin bypass via AllowFromChainP 
Reads (apps resolution, directory listing, file GET, archive index,
profile pages, subtree zip, form render) used policy.AllowFromChain
with email — no admin-bypass branch fired even for elevated admins,
because IsActiveAdmin only landed in AllowActionFromChainP.

Symptom: elevated admin navigating to /browse.html got 403 because
the root cascade has no explicit read grants in my refactored root
.zddc (role memberships + admins only; no acl.permissions). The
app-resolution path's AllowFromChain didn't see admin status.

Fix: new policy.AllowFromChainP that forwards to
AllowActionFromChainP(action=read). Migrate every read-path caller
to the principal-aware variant. The decider's single bypass branch
now fires uniformly across read and write decisions.

Migrated:
  cmd/zddc-server/main.go        (9 sites)
  handler/directory.go           (1)
  handler/archivehandler.go      (2)
  handler/zddcfile.go            (1)
  handler/formhandler.go         (3)
  handler/projectshandler.go     (1; EnumerateProjects sig takes Principal)
  handler/subtreezip.go          (1)
  fs/tree.go                     (1; uses already-built principal)

profilehandler.go:400 stays on AllowFromChain — it probes ACL for a
DIFFERENT email (the enumeration target, not the request principal),
so admin bypass on the request's principal doesn't apply.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 09:54:46 -05:00
..
accepthandler.go feat: reviewing/ lifecycle — Plan Review endpoint, virtual received window, browse context-menu workflows 2026-05-15 16:08:04 -05:00
accepthandler_test.go feat: reviewing/ lifecycle — Plan Review endpoint, virtual received window, browse context-menu workflows 2026-05-15 16:08:04 -05:00
admin_helpers.go chore: elevation slot in every tool + docs + helper file splits + smell cleanup 2026-05-14 12:15:41 -05:00
archivehandler.go fix(policy): read-path ACL honors admin bypass via AllowFromChainP 2026-05-18 09:54:46 -05:00
archivehandler_test.go feat(archive): canonicalize deep .archive URLs + permissions follow the file 2026-05-07 06:28:07 -05:00
auth_invariants_test.go test(handler): lock-in invariants for admin/elevation/WORM behavior 2026-05-18 09:12:37 -05:00
authcheck.go refactor: unified listing protocol + form-editor retirement + admin elevation 2026-05-14 12:15:07 -05:00
authcheck_test.go refactor: unified listing protocol + form-editor retirement + admin elevation 2026-05-14 12:15:07 -05:00
converthandler.go refactor: virtual file extensions for subtree zip + MD conversion 2026-05-14 12:23:37 -05:00
cors.go feat(server): authenticated CRUD + verb-based RBAC with WORM archive folders 2026-05-05 15:58:04 -05:00
cors_test.go feat(zddc-server): admin debug page + X-Auth-Request-Email default + hidden-segment guard 2026-04-28 14:02:06 -05:00
default-mdl.form.yaml feat(mdl): default columns mirror tracking-number components + customizable 2026-05-09 11:09:31 -05:00
default-mdl.table.yaml feat(mdl): default columns mirror tracking-number components + customizable 2026-05-09 11:09:31 -05:00
directory.go fix(policy): read-path ACL honors admin bypass via AllowFromChainP 2026-05-18 09:54:46 -05:00
directory_test.go fix(zddc-server): mdl slash form serves browse; .zddc viewable at every depth 2026-05-11 12:45:16 -05:00
fileapi.go refactor(handler): migrate authorizeAction + plan-review preflight to single bypass 2026-05-18 09:20:32 -05:00
fileapi_test.go refactor: unified listing protocol + form-editor retirement + admin elevation 2026-05-14 12:15:07 -05:00
formhandler.go fix(policy): read-path ACL honors admin bypass via AllowFromChainP 2026-05-18 09:54:46 -05:00
formhandler_test.go refactor: unified listing protocol + form-editor retirement + admin elevation 2026-05-14 12:15:07 -05:00
logring.go feat(zddc-server): user profile page replaces /.admin/ 2026-04-29 16:32:02 -05:00
logring_test.go feat(zddc-server): admin debug page + X-Auth-Request-Email default + hidden-segment guard 2026-04-28 14:02:06 -05:00
middleware.go feat(handler): audit log records active_admin alongside elevated 2026-05-18 09:26:13 -05:00
middleware_test.go feat(handler): audit log records active_admin alongside elevated 2026-05-18 09:26:13 -05:00
paths.go chore: elevation slot in every tool + docs + helper file splits + smell cleanup 2026-05-14 12:15:41 -05:00
planreview.go refactor(handler): migrate authorizeAction + plan-review preflight to single bypass 2026-05-18 09:20:32 -05:00
planreview_test.go feat: reviewing/ lifecycle — Plan Review endpoint, virtual received window, browse context-menu workflows 2026-05-15 16:08:04 -05:00
profile_assets.go chore: elevation slot in every tool + docs + helper file splits + smell cleanup 2026-05-14 12:15:41 -05:00
profilehandler.go fix(policy): read-path ACL honors admin bypass via AllowFromChainP 2026-05-18 09:54:46 -05:00
profilehandler_test.go refactor: unified listing protocol + form-editor retirement + admin elevation 2026-05-14 12:15:07 -05:00
profilepage.go refactor: unified listing protocol + form-editor retirement + admin elevation 2026-05-14 12:15:07 -05:00
profileprojects.go refactor: unified listing protocol + form-editor retirement + admin elevation 2026-05-14 12:15:07 -05:00
projecthandler.go refactor(zddc-server): demote routing-shape redirects from 301 to 302 2026-05-10 14:37:02 -05:00
projecthandler_test.go refactor(landing): project landing is now a single-file SPA, not server-rendered 2026-05-10 07:57:30 -05:00
projectshandler.go fix(policy): read-path ACL honors admin bypass via AllowFromChainP 2026-05-18 09:54:46 -05:00
singleflight.go feat(zddc): MD→{docx,html,pdf} server-side conversion via stock pandoc + chromium containers 2026-05-13 10:33:56 -05:00
static.go Initial commit 2026-04-27 11:05:47 -05:00
subtreezip.go fix(policy): read-path ACL honors admin bypass via AllowFromChainP 2026-05-18 09:54:46 -05:00
subtreezip_test.go refactor: virtual file extensions for subtree zip + MD conversion 2026-05-14 12:23:37 -05:00
tablehandler.go chore(zddc): remove dead canonical-folder predicates 2026-05-11 16:01:43 -05:00
tablehandler_test.go refactor: unified listing protocol + form-editor retirement + admin elevation 2026-05-14 12:15:07 -05:00
tables.html fix(policy): read-path ACL honors admin bypass via AllowFromChainP 2026-05-18 09:54:46 -05:00
tokenhandler.go feat(server): self-issued bearer tokens + --no-auth flag 2026-05-08 07:40:28 -05:00
tokenhandler_test.go feat(server): self-issued bearer tokens + --no-auth flag 2026-05-08 07:40:28 -05:00
wormbypass_test.go test(handler): lock-in invariants for admin/elevation/WORM behavior 2026-05-18 09:12:37 -05:00
zddcfile.go fix(policy): read-path ACL honors admin bypass via AllowFromChainP 2026-05-18 09:54:46 -05:00
zddcfile_test.go fix(zddc-server): mdl slash form serves browse; .zddc viewable at every depth 2026-05-11 12:45:16 -05:00
ziphandler.go feat(zddc): serve a .zip as a virtual directory (zipfs + dispatch intercept) 2026-05-12 12:17:47 -05:00
ziphandler_test.go feat(zddc): serve a .zip as a virtual directory (zipfs + dispatch intercept) 2026-05-12 12:17:47 -05:00