Skip to content

Harden ListScheduledFlows access control#1163

Open
TristanInSec wants to merge 1 commit intogoogle:masterfrom
TristanInSec:harden-listscheduledflows-access-check
Open

Harden ListScheduledFlows access control#1163
TristanInSec wants to merge 1 commit intogoogle:masterfrom
TristanInSec:harden-listscheduledflows-access-check

Conversation

@TristanInSec
Copy link
Copy Markdown
Contributor

@TristanInSec TristanInSec commented Apr 15, 2026

Summary

  • Add missing CheckClientAccess call to ListScheduledFlows in the approval-checks router, consistent with all other client-scoped methods.
  • Use context.username instead of args.creator in the handler to scope listing to the authenticated user.
  • Add tests for both changes.

@google-cla
Copy link
Copy Markdown

google-cla Bot commented Apr 15, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@hack-wiki
Harden ListScheduledFlows access control
fd5eb0e 
Add CheckClientAccess call to ListScheduledFlows in the approval-checks
router, consistent with all other client-scoped methods.

Use context.username instead of args.creator in the handler to prevent
unauthenticated enumeration of another user's scheduled flows.
@TristanInSec TristanInSec force-pushed the harden-listscheduledflows-access-check branch from 1e5d12d to fd5eb0e Compare April 15, 2026 14:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TristanInSec @hack-wiki