geomind_code/webgateway
22
0
Fork 0
Code Issues 6 Pull requests 1 Projects Releases Packages Wiki Activity Actions

[Medium] Inconsistent Authentication in services.list #22

New issue
Open
opened 2026-02-11 18:50:27 +00:00 by thabeta · 1 comment
thabeta commented 2026-02-11 18:50:27 +00:00
Owner
Copy link

Issue

The handleMyceliumServicesList method in internal/rpc/services.go returns services scoped only to the authenticated user's public key. It does not provide a path for administrators to list services for other users, unlike services.get or services.update.

Impact

  • Limited administrative visibility and audit capability
  • Inconsistent behavior across RPC service management endpoints

Remediation

Update the list handler to accept an optional userPubKey parameter. If provided by an administrator, return services for that specific user.

Files Affected

  • internal/rpc/services.go
## Issue The `handleMyceliumServicesList` method in `internal/rpc/services.go` returns services scoped only to the authenticated user's public key. It does not provide a path for administrators to list services for other users, unlike `services.get` or `services.update`. ## Impact - Limited administrative visibility and audit capability - Inconsistent behavior across RPC service management endpoints ## Remediation Update the list handler to accept an optional `userPubKey` parameter. If provided by an administrator, return services for that specific user. ## Files Affected - `internal/rpc/services.go`
thabeta commented 2026-02-18 11:21:09 +00:00
Author
Owner
Copy link

we can instead add new methods for admins only (admin.get, admin.update, etc...)

we can instead add new methods for admins only (`admin.get`, `admin.update`, etc...)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
support-socks5
development
test
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
geomind_code/webgateway#22
No description provided.