fix: user search filters take a slug or 'me', not a numeric ID#9
Open
WebSearching404 wants to merge 1 commit into
Open
fix: user search filters take a slug or 'me', not a numeric ID#9WebSearching404 wants to merge 1 commit into
WebSearching404 wants to merge 1 commit into
Conversation
validateUserIdFilters (0b9dea4) enforced the inverse of BookStack's actual contract: SearchRunner::filterCreatedBy/filterUpdatedBy/ filterOwnedBy resolve the filter value by user SLUG ('me' = the token's own user) and silently skip the filter when nothing matches. So the guard rejected every valid form of these filters (slugs, 'me') while steering callers to numeric IDs — exactly the values BookStack ignores, returning ALL results presented as filtered. - validateUserIdFilters now rejects pure-numeric values (the silent fail-open input), including the previously-unguarded negated {!field:N} form, and accepts slugs/'me' - search + find_users tool descriptions and the README row now state the slug contract Verified against BookStack v26.05.1 source and live on a seeded instance: {created_by:me} and {created_by:<slug>} filter correctly; numeric IDs silently return unfiltered results. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The bug
validateUserIdFilters(introduced in 0b9dea4 / v3.5.0) enforces the inverse of BookStack's actual contract. BookStack resolves{created_by:X}/{updated_by:X}/{owned_by:X}by user slug, with'me'as a shortcut for the token's own user — and when X matches no user's slug it silently skips the filter, returning all results as if they were filtered:https://github.com/BookStackApp/BookStack/blob/v26.05.1/app/Search/SearchRunner.php
So the current guard:
{created_by:me}and{created_by:some-slug}both throw, andReproduced live on a seeded instance:
{created_by:1}(admin's actual user ID) → returns everything, unfiltered;{created_by:me}and{created_by:admin}→ filter correctly.The fix
validateUserIdFiltersnow rejects pure-numeric values (the silent fail-open input), including the previously-unguarded negated{!field:N}form, and lets slugs /'me'through. The error message explains the slug contract and points atfind_users(which already returns theslugfield).searchandfind_userstool descriptions and the READMEfind_usersrow now state the slug contract instead of the numeric-ID one.npm run build(tsc) passes; no schema or tool-surface changes.Found while auditing a downstream fork, where the same fix has been running against a live v26.05.1 instance with an automated acceptance suite (including an empirical
{created_by:me}filter check).🤖 Generated with Claude Code