Skip to content

fix(sg): enforce TenantMember and RBAC permissions on /security-group…#693

Open
jackthepunished wants to merge 1 commit into
poyrazK:mainfrom
jackthepunished:fix/sg-authz-681-675
Open

fix(sg): enforce TenantMember and RBAC permissions on /security-group…#693
jackthepunished wants to merge 1 commit into
poyrazK:mainfrom
jackthepunished:fix/sg-authz-681-675

Conversation

@jackthepunished
Copy link
Copy Markdown
Contributor

@jackthepunished jackthepunished commented May 25, 2026

…s (#681 #675)

Adds httputil.TenantMember to the security-groups route group and wraps every endpoint with the appropriate sg:* RBAC permission, mirroring the VPC pattern. Closes the IDOR vector that allowed cross-tenant SG access (#681) and the missing-RBAC gap that let any authenticated user mutate SGs (#675).

@jackthepunished
fix(sg): enforce TenantMember and RBAC permissions on /security-groups (
b5770c6 
poyrazK#681 poyrazK#675)

Adds httputil.TenantMember to the security-groups route group and wraps every
endpoint with the appropriate sg:* RBAC permission, mirroring the VPC pattern.
Closes the IDOR vector that allowed cross-tenant SG access (poyrazK#681) and the
missing-RBAC gap that let any authenticated user mutate SGs (poyrazK#675).
Copilot AI review requested due to automatic review settings May 25, 2026 03:07
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 25, 2026

Warning

Review limit reached

@jackthepunished, we couldn't start this review because you've used your available PR reviews for now.

Your plan includes 1 review of capacity. Refill in 59 minutes and 44 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8d0fe160-d3dc-4bdd-8781-a5521491528f

📥 Commits

Reviewing files that changed from the base of the PR and between e0f151b and b5770c6.

📒 Files selected for processing (1)
  • internal/api/setup/router.go
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed May 25, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the /security-groups API routes to enforce tenant membership and RBAC permissions per endpoint.

Changes:

  • Added TenantMember middleware to the /security-groups route group.
  • Added per-route RBAC permission middleware for create/read/update/delete security-group operations.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

api-change area/api bug Something isn't working security size/xs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jackthepunished