9ede795c5b
Enforce workspace isolation at every layer: - Router: move RequireWorkspaceMember middleware to group level so ALL workspace-scoped routes (issues, agents, skills, runtimes, inbox, comments) require workspace context - SQL: add GetXxxInWorkspace queries that filter by workspace_id, eliminating cross-workspace data access at the query level - Handlers: loadXForUser functions use workspace-scoped queries, no fallback to unscoped queries - Migration 025: add workspace_id column to comment table with backfill - ListComments: add workspace_id filter for defense-in-depth Fix daemon workspace mapping: - Server returns workspace_id in task claim response (from issue) - Daemon uses task.WorkspaceID directly instead of unreliable workspaceIDForRuntime() local map lookup - Remove workspaceIDForRuntime function Fix agent/human parity: - Comment update/delete: use resolveActor for isAuthor check so agents can edit/delete their own comments - Event attribution: replace hardcoded "member" with resolveActor in agent, skill, and subscriber publish calls Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
27 lines
648 B
SQL
27 lines
648 B
SQL
-- name: ListComments :many
|
|
SELECT * FROM comment
|
|
WHERE issue_id = $1 AND workspace_id = $2
|
|
ORDER BY created_at ASC;
|
|
|
|
-- name: GetComment :one
|
|
SELECT * FROM comment
|
|
WHERE id = $1;
|
|
|
|
-- name: GetCommentInWorkspace :one
|
|
SELECT * FROM comment
|
|
WHERE id = $1 AND workspace_id = $2;
|
|
|
|
-- name: CreateComment :one
|
|
INSERT INTO comment (issue_id, workspace_id, author_type, author_id, content, type, parent_id)
|
|
VALUES ($1, $2, $3, $4, $5, $6, sqlc.narg(parent_id))
|
|
RETURNING *;
|
|
|
|
-- name: UpdateComment :one
|
|
UPDATE comment SET
|
|
content = $2,
|
|
updated_at = now()
|
|
WHERE id = $1
|
|
RETURNING *;
|
|
|
|
-- name: DeleteComment :exec
|
|
DELETE FROM comment WHERE id = $1;
|