MALIO-DEV/Lesstime
3
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases 32 Wiki Activity

fix(security) : add role checks on Gitea API resources and all MCP tools

Browse Source 
- GiteaBranch, GiteaBranchName, GiteaPullRequest: require ROLE_USER
- All 22 MCP tools: require ROLE_USER (ROLE_ADMIN for users/clients listing)

Tickets: T-002, T-007

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matthieu
2026-03-17 15:23:06 +01:00
parent 5db6b1e2b0
commit e0dfcbdbf8
25 changed files with 163 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/Mcp/Tool/TaskMeta/ListGroupsTool.php
View File

@@ -7,16 +7,23 @@ namespace App\Mcp\Tool\TaskMeta;
use App\Mcp\Tool\Serializer;
use App\Repository\TaskGroupRepository;
use Mcp\Capability\Attribute\McpTool;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
#[McpTool(name: 'list-groups', description: 'List task groups, optionally filtered by project. Groups are per-project (each group belongs to one project).')]
class ListGroupsTool
{
public function __construct(
private readonly TaskGroupRepository $taskGroupRepository,
private readonly Security $security,
) {}
public function __invoke(?int $projectId = null, bool $archived = false): string
{
if (!$this->security->isGranted('ROLE_USER')) {
throw new AccessDeniedException('Access denied: ROLE_USER required.');
}
$criteria = ['archived' => $archived];
if (null !== $projectId) {
$criteria['project'] = $projectId;