Skip to content

fix: apply showMemberMiddleware to flowsheet write routes#187

Open
jakebromberg wants to merge 1 commit intomainfrom
fix/10-apply-show-member-middleware
Open

fix: apply showMemberMiddleware to flowsheet write routes#187
jakebromberg wants to merge 1 commit intomainfrom
fix/10-apply-show-member-middleware

Conversation

@jakebromberg
Copy link
Member

@jakebromberg jakebromberg commented Feb 21, 2026

Summary

  • Bug: showMemberMiddleware was imported in apps/backend/app.ts but never applied to any route, allowing any authenticated DJ to modify flowsheet entries even without joining the active show.
  • Fix: Applied showMemberMiddleware after requirePermissions on the POST, PATCH, and DELETE flowsheet routes in flowsheet.route.ts. Removed the unused import from app.ts.
  • Hardening: Added try/catch error handling to the middleware (previously had none) and simplified the DJ lookup from .filter().length to .some().

Test plan

  • Unit tests for showMemberMiddleware covering:
    • DJ not in show → returns 400
    • DJ in show → calls next()
    • No DJs in show → returns 400
    • DB error → returns 500 (new error handling)
  • Full unit test suite passes (124 tests, 9 suites)

Fixes #10

Made with Cursor

@cursoragent
fix: apply showMemberMiddleware to flowsheet write routes
f392fe2 
The middleware was imported but never applied, allowing any authenticated
DJ to modify flowsheet entries regardless of show membership.

Co-authored-by: Cursor <cursoragent@cursor.com>
@jakebromberg jakebromberg force-pushed the fix/10-apply-show-member-middleware branch from 0f349db to f392fe2 Compare February 27, 2026 05:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jakebromberg