yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: require org-admin for gateway session message endpoint

Browse Source 
send_gateway_session_message only required basic auth (AUTH_DEP) while
all other gateway endpoints required ORG_ADMIN_DEP. Any authenticated
user could send messages to any gateway session. Now requires org-admin
and verifies the board belongs to the caller's organization.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hugh Brown
2026-03-03 13:38:41 -07:00
committed by Abhimanyu Saharan
parent 7ca4145aff
commit 66da278673
2 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/app/api/gateway.py
View File

@@ -127,6 +127,7 @@ async def send_gateway_session_message(
board_id: str | None = BOARD_ID_QUERY,
session: AsyncSession = SESSION_DEP,
auth: AuthContext = AUTH_DEP,
ctx: OrganizationContext = ORG_ADMIN_DEP,
) -> OkResponse:
"""Send a message into a specific gateway session."""
service = GatewaySessionService(session)
@@ -134,6 +135,7 @@ async def send_gateway_session_message(
session_id=session_id,
payload=payload,
board_id=board_id,
organization_id=ctx.organization.id,
user=auth.user,
)
return OkResponse()