calvin.erfmann/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-06-06 15:50:42 +00:00
Code Issues Packages Projects Releases Wiki Activity
7,022 Commits 28 Branches 76 Tags
a9a509be53ce19e7747c9687aa1dd05494ccc7bb
Commit Graph

247 Commits

Author SHA1 Message Date
Marc Schäfer
51629247a5 fix(middleware): prevent cross-org site binding in target create/update 
Extend verifySiteAccess to check that when req.userOrgId is already set
by a prior middleware (e.g. verifyResourceAccess/verifyTargetAccess), the
site from req.body.siteId belongs to the same organization. This prevents
the cross-organization tunnel boundary bypass where an attacker with
resource access in one org binds that resource's target to a site in
another org.

Add verifySiteAccess to both target route stacks:
- PUT /resource/:resourceId/target (after verifyResourceAccess)
- POST /target/:targetId (after verifyTargetAccess)

The org-match check runs before req.userOrg is overwritten, so the
resource's organization context is preserved for comparison.

Signed-off-by: Marc Schäfer <git@marcschaeferger.de>
 2026-05-29 22:44:16 +00:00
Owen
f8a757c55f Merge branch 'resource-policies' into dev 2026-05-28 15:30:16 -07:00
Owen
6aea3f1643 Merge branch 'auto-update' into dev 2026-05-28 13:59:34 -07:00
Owen Schwartz
957e7ba127 Merge pull request #3175 from shleeable/patch-4 
Fix:  OLM token rate limit uses wrong field name
 2026-05-28 12:13:04 -07:00
Shlee
a79d0f1677 Update external.ts 2026-05-28 15:45:06 +09:30
Shlee
bfd7a7f561 Update external.ts 2026-05-28 15:31:45 +09:30
Owen
ed73d089d0 Auto update newt 2026-05-21 14:13:32 -07:00
Owen
5922bfb1a0 Fix API endpoint action issues 2026-05-04 16:01:40 -07:00
Owen
660197eef1 Merge branch 'feat/resource-policies' into resource-policies 2026-05-04 14:40:44 -07:00
Owen
8214700eaa More refreshing and status history displays 2026-04-17 17:18:15 -07:00
Owen
f932cc7aca Fix status history and show on the health check 2026-04-16 20:55:21 -07:00
Owen
c1782a2650 Add uptime tracking 2026-04-16 18:25:25 -07:00
Owen
1397e61643 Create hcs freely 2026-04-15 20:32:02 -07:00
Owen
5e505224d0 Basic ui is working 2026-04-15 15:26:27 -07:00
miloschwartz
e118e5b047 add list alises endpoint 2026-04-11 21:03:35 -07:00
Owen
d1182c3a59 Merge branch 'main' into dev 2026-03-30 15:53:46 -07:00
Owen
9dc9b6a2c3 Merge branch 'logging-provision' into dev 2026-03-29 13:59:14 -07:00
miloschwartz
13eadeaa8f support legacy one role per user 2026-03-26 18:19:10 -07:00
miloschwartz
e13a076939 ui improvements 2026-03-26 16:37:31 -07:00
miloschwartz
2091b5f359 Merge branch 'logging-provision' of https://github.com/fosrl/pangolin into logging-provision 2026-03-24 20:30:14 -07:00
miloschwartz
3525b367b3 move to private routes 2026-03-24 20:27:15 -07:00
Owen
0b5b6ed5a3 Adjust register endpoint 2026-03-24 18:26:10 -07:00
Owen
6fe9494df4 Merge branch 'logging-provision' of github.com:fosrl/pangolin into logging-provision 2026-03-24 18:17:42 -07:00
Owen
b2eab95a3b Pass at first endpoints 2026-03-24 18:17:33 -07:00
miloschwartz
7db58f920c add site provisioning key crud 2026-03-24 16:19:00 -07:00
Fred KISSIE
36bcba332c 🚧 wip 2026-03-11 05:18:22 +01:00
Fred KISSIE
f80e212b07 🚧 wip 2026-03-11 00:27:27 +01:00
Fred KISSIE
61ec938b00 🚧 WIP 2026-03-10 18:54:26 +01:00
Shreyas Papinwar
ae39084a75 fix: persist user locale preference to database (#1547) 2026-03-10 12:21:06 +05:30
Fred KISSIE
1a5e9f1005 🚧 resource policy rules 2026-03-04 19:31:59 +01:00
Fred KISSIE
42c9bda939 Merge branch 'dev' into feat/resource-policies 2026-03-04 16:46:33 +01:00
Fred KISSIE
7f6ca31757 🚧 Email whiteList for resource policy 2026-03-04 01:46:56 +01:00
Fred KISSIE
89e7107a47 ♻️ use put and return 200 OK 2026-03-03 03:31:43 +01:00
Fred KISSIE
590f2c29b3 🚧 prepare tables for auth methods 2026-03-03 03:20:03 +01:00
Fred KISSIE
033cc62ce7 🚧 wip 2026-03-02 19:37:23 +01:00
Fred KISSIE
c292578f80 Merge branch 'dev' into feat/resource-policies 2026-02-28 01:08:12 +01:00
Fred KISSIE
d6a8021613 🚧 wip: update resource policy form 2026-02-27 04:21:20 +01:00
Fred KISSIE
c5231d37f6 🚧 wip 2026-02-26 19:20:15 +01:00
miloschwartz
20e547a0f6 first pass 2026-02-24 17:58:11 -08:00
Fred KISSIE
ee21e1faa7 🚧 list authentication items from policy APIs 2026-02-18 05:08:42 +01:00
miloschwartz
79cf7c84dc support delete org and preserve path on switch 2026-02-17 16:45:15 -08:00
miloschwartz
b8c3cc751a support creating multiple orgs in saas 2026-02-17 14:37:46 -08:00
Owen
3debc6c8d3 Add round trip tracking for any message 2026-02-16 20:29:55 -08:00
miloschwartz
33f0782f3a support delete account 2026-02-14 18:01:37 -08:00
Fred KISSIE
ab65bb6a8a Merge branch 'dev' into refactor/paginated-tables 2026-02-13 06:03:09 +01:00
Owen
7d6ee72025 Finish adding limits checks to all put and post 2026-02-11 10:06:56 -08:00
Owen
193b7ff21e Adding limit checks 2026-02-11 10:06:55 -08:00
Fred KISSIE
9f2fd34e99 🚧 wip: user devices endpoint 2026-02-06 05:37:44 +01:00
miloschwartz
915673798e update updateRole endpoint 2026-01-19 20:20:31 -08:00
miloschwartz
89928c753c add server info endpoint 2026-01-18 12:19:07 -08:00