From c041719e6add5932015c28ea369a5032da77b764 Mon Sep 17 00:00:00 2001 From: claude Date: Wed, 24 Jun 2026 00:01:49 +0000 Subject: [PATCH] fix(git-sync): restrict config and tab visibility to project owner - gitSyncEnabled is now false for non-owners, hiding the rail tab - gitRemote (and all other git sync config) is served as empty string to non-owners, preventing auth token leakage via meta tags to collaborators and anonymous token users Co-Authored-By: Claude Sonnet 4.6 --- .../Features/Project/ProjectController.mjs | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/services/web/app/src/Features/Project/ProjectController.mjs b/services/web/app/src/Features/Project/ProjectController.mjs index db63adb77d..77d39e132e 100644 --- a/services/web/app/src/Features/Project/ProjectController.mjs +++ b/services/web/app/src/Features/Project/ProjectController.mjs @@ -1027,12 +1027,24 @@ const _ProjectController = { imageNames, gitBridgePublicBaseUrl: Settings.gitBridgePublicBaseUrl, gitBridgeEnabled: Features.hasFeature('git-bridge'), - gitSyncEnabled: Boolean(Settings.enableGitSync), - gitRemote: project.gitRemote ?? '', - gitSyncPath: project.gitSyncPath ?? '', - gitSyncPdfPath: project.gitSyncPdfPath ?? '', - gitSyncPushFiles: project.gitSyncPushFiles ?? true, - gitSyncPushPdf: project.gitSyncPushPdf ?? true, + gitSyncEnabled: + Boolean(Settings.enableGitSync) && + privilegeLevel === PrivilegeLevels.OWNER, + gitRemote: privilegeLevel === PrivilegeLevels.OWNER + ? (project.gitRemote ?? '') + : '', + gitSyncPath: privilegeLevel === PrivilegeLevels.OWNER + ? (project.gitSyncPath ?? '') + : '', + gitSyncPdfPath: privilegeLevel === PrivilegeLevels.OWNER + ? (project.gitSyncPdfPath ?? '') + : '', + gitSyncPushFiles: privilegeLevel === PrivilegeLevels.OWNER + ? (project.gitSyncPushFiles ?? true) + : true, + gitSyncPushPdf: privilegeLevel === PrivilegeLevels.OWNER + ? (project.gitSyncPushPdf ?? true) + : true, wsUrl, showSupport: Features.hasFeature('support'), showTemplatesServerPro,