history: show legacy jobs (no user_id) to authenticated users
Jobs created before user isolation was added have null user_id. Previously they were hidden from authenticated users. Now authenticated users see their own jobs + all legacy jobs (no user_id). Jobs belonging to a different authenticated user are still excluded. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Vadym Samoilenko
parent
3b27ff79cd
commit
0443cb450a
1 changed files with 9 additions and 7 deletions
16
api.php
16
api.php
|
|
@ -698,14 +698,16 @@ function handleList() {
|
|||
foreach ($files as $file) {
|
||||
$job_data = json_decode(file_get_contents($file), true);
|
||||
|
||||
// User isolation: only return jobs belonging to the authenticated user.
|
||||
// Jobs without a user_id (created before this feature) are excluded when
|
||||
// a user is authenticated to prevent cross-user data leakage.
|
||||
// User isolation:
|
||||
// - Authenticated user: show their own jobs + legacy jobs (no user_id)
|
||||
// - Unauthenticated (dev mode): show only legacy jobs (no user_id)
|
||||
$job_user_id = $job_data['user_id'] ?? null;
|
||||
if ($current_user_id !== null) {
|
||||
if (($job_data['user_id'] ?? null) !== $current_user_id) continue;
|
||||
} elseif (($job_data['user_id'] ?? null) !== null) {
|
||||
// Unauthenticated caller (dev mode) — skip user-owned jobs
|
||||
continue;
|
||||
// Skip jobs that belong to a DIFFERENT authenticated user
|
||||
if ($job_user_id !== null && $job_user_id !== $current_user_id) continue;
|
||||
} else {
|
||||
// Unauthenticated — skip user-owned jobs
|
||||
if ($job_user_id !== null) continue;
|
||||
}
|
||||
|
||||
// Enrich with result summary if available
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue