Fix leak: redact per-person on authed non-member reads #46

Merged
justin merged 1 commits from fix-authed-nonmember-redaction into main 2026-06-09 09:26:55 -04:00
Owner

Pre-existing privacy bug (flagged in docs/BACKLOG.md §2.4/§2.10). A logged-in NON-member of a public/unlisted tree could read living people's dates, real alternate names, and download their photos via the family-view endpoints — only the person list was redacted; list_events/list_relationships/list_names/list_media gated on can_view_tree alone.

For non-members these now delegate to the same person_visibility-driven reads the public surface uses: living-person events/names dropped, relationships touching a hidden person dropped, media limited to full-visibility persons, and get_mediamedia_content 404s for a redacted/unlinked person's media. Members unchanged.

Test: authed non-member sees no living-person PII across events/names/relationships/media and can't download a living person's file; owner still sees all. Full suite 72 passed (ran locally; CI has no pytest).

🤖 Generated with Claude Code

Pre-existing privacy bug (flagged in docs/BACKLOG.md §2.4/§2.10). A logged-in NON-member of a public/unlisted tree could read living people's dates, real alternate names, and **download their photos** via the family-view endpoints — only the person *list* was redacted; `list_events`/`list_relationships`/`list_names`/`list_media` gated on `can_view_tree` alone. For non-members these now delegate to the same `person_visibility`-driven reads the public surface uses: living-person events/names dropped, relationships touching a hidden person dropped, media limited to full-visibility persons, and `get_media`→`media_content` 404s for a redacted/unlinked person's media. **Members unchanged.** Test: authed non-member sees no living-person PII across events/names/relationships/media and can't download a living person's file; owner still sees all. Full suite **72 passed** (ran locally; CI has no pytest). 🤖 Generated with [Claude Code](https://claude.com/claude-code)
justin added 1 commit 2026-06-09 09:26:54 -04:00
A logged-in NON-member of a public/unlisted tree could read living people's
dates, real alternate names, and media (incl. downloading photos) through the
family-view endpoints — only the person LIST was redacted; list_events,
list_relationships, list_names, list_media gated on can_view_tree alone.

For non-members, these now delegate to the same visibility-filtered reads the
public surface uses (person_visibility-driven): living-person events/names
dropped, relationships touching a hidden person dropped, media limited to
full-visibility persons, and media download (get_media → media_content) 404s
for a redacted/unlinked person's media. Members are unchanged.

Adds list_public_relationships_for_person / list_public_media / can_view_media
to public_view_service. Test: an authed non-member sees no living-person PII
across events/names/relationships/media and can't download a living person's
file, while the owner still sees everything. Full suite: 72 passed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Justin Paul <justin@jpaul.me>
justin merged commit 91a7ce1dc2 into main 2026-06-09 09:26:55 -04:00
justin deleted branch fix-authed-nonmember-redaction 2026-06-09 09:26:55 -04:00
Sign in to join this conversation.