pook/compliancebot

Add document ownership verification to /api/generate and document retrieval endpoints #675

New issue

Open

opened 2026-04-11 10:31:11 -04:00 by pook · 0 comments

pook commented

2026-04-11 10:31:11 -04:00

Owner

Create middleware that verifies authenticated user ID matches the document owner before returning generated compliance documents. Query generated_documents table for user_id match. Return 403 on mismatch, 404 if not found. Add integration test: user A cannot retrieve user B's generated privacy policy document, user A gets own documents successfully. Prevents horizontal privilege escalation and protects customer compliance document data.

Generated by CEO Planner (priority: 2)

Create middleware that verifies authenticated user ID matches the document owner before returning generated compliance documents. Query generated_documents table for user_id match. Return 403 on mismatch, 404 if not found. Add integration test: user A cannot retrieve user B's generated privacy policy document, user A gets own documents successfully. Prevents horizontal privilege escalation and protects customer compliance document data. --- *Generated by CEO Planner (priority: 2)*

pook added the

label

2026-04-11 10:31:11 -04:00

pook referenced this issue

2026-04-11 13:25:48 -04:00

Add customer.subscription.deleted webhook event handler marking subscription inactive #709

Sign in to join this conversation.

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pook/compliancebot#675

No description provided.