fix!: unauthorized face creation (#28561)

* fix: unauthorized face creation * review changes --------- Co-authored-by: shenlong-tanwen <139912620+shalong-tanwen@users.noreply.github.com>
2026-06-05 14:25:16 -04:00 · 2026-06-02 22:44:11 +05:30
parent 408e1180ca
commit 9287fa08c6
3 changed files with 41 additions and 1 deletions
@@ -0,0 +1,16 @@
+import { Kysely, sql } from 'kysely';
+
+export async function up(db: Kysely<any>): Promise<void> {
+  // Delete unauthorized cross-owner asset faces
+  await sql`
+    DELETE FROM asset_face
+    USING person, asset
+    WHERE asset_face."personId" = person.id
+      AND asset_face."assetId" = asset.id
+      AND person."ownerId" != asset."ownerId"
+  `.execute(db);
+}
+
+export async function down(): Promise<void> {
+  // Not implemented: the deleted rows were unauthorized cross-owner entries
+}