michal/mcpctl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: project list should use RBAC filtering, not ownerId

Browse Source 
The list endpoint was filtering by ownerId before RBAC could include
projects the user has view access to via name-scoped bindings.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Michal
2026-02-23 18:52:13 +00:00
parent f8df1e15e9
commit 7d114a8aed
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/mcpd/src/routes/projects.ts
View File

@@ -2,9 +2,9 @@ import type { FastifyInstance } from 'fastify';
import type { ProjectService } from '../services/project.service.js'; import type { ProjectService } from '../services/project.service.js';
export function registerProjectRoutes(app: FastifyInstance, service: ProjectService): void { export function registerProjectRoutes(app: FastifyInstance, service: ProjectService): void {
app.get('/api/v1/projects', async (request) => { app.get('/api/v1/projects', async () => {
// If authenticated, filter by owner; otherwise list all // RBAC preSerialization hook handles access filtering
return service.list(request.userId); return service.list();
}); });
app.get<{ Params: { id: string } }>('/api/v1/projects/:id', async (request) => { app.get<{ Params: { id: string } }>('/api/v1/projects/:id', async (request) => {