marketing-shibata50/multica
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: address review issues in skills system

Browse source 
- Fix authorization bypass in DeleteSkillFile (missing workspace/role check)
- Extract skills page into features/skills/ module (thin route shell)
- Fix skill files disappearing after save (use API return values + merge in refreshSkills)
- Fix silently swallowed DB errors in ListAgents/GetAgent skill queries

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jiayuan Zhang 2026-03-25 15:37:08 +08:00
parent fb709ff143
commit 42aef6e13e
7 changed files with 599 additions and 543 deletions
Download patch file Download diff file Expand all files Collapse all files

9
server/internal/handler/skill.go
View file

@ -440,6 +440,15 @@ func (h *Handler) UpsertSkillFile(w http.ResponseWriter, r *http.Request) {
}
func (h *Handler) DeleteSkillFile(w http.ResponseWriter, r *http.Request) {
id := chi.URLParam(r, "id")
skill, ok := h.loadSkillForUser(w, r, id)
if !ok {
return
}
if _, ok := h.requireWorkspaceRole(w, r, uuidToString(skill.WorkspaceID), "skill not found", "owner", "admin"); !ok {
return
}
fileID := chi.URLParam(r, "fileId")
if err := h.Queries.DeleteSkillFile(r.Context(), parseUUID(fileID)); err != nil {
writeError(w, http.StatusInternalServerError, "failed to delete skill file")