Skip to content

Commit 5431e64

Browse files
hanzo-devhanzo-dev
committed
feat: per-user wallet isolation — non-admin users only see their own wallets
1 parent 384e8dc commit 5431e64

File tree

1 file changed

+11
-3
lines changed

1 file changed

+11
-3
lines changed

pkg/api/handlers_wallets.go

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,13 +12,21 @@ import (
1212

1313
func (s *Server) handleListWallets(w http.ResponseWriter, r *http.Request) {
1414
orgID := getOrgID(r.Context())
15+
userID := getUserID(r.Context())
1516
vaultID := urlParam(r, "id")
1617

17-
wallets, err := orm.TypedQuery[db.Wallet](s.db.ORM).
18+
q := orm.TypedQuery[db.Wallet](s.db.ORM).
1819
Filter("vaultId=", vaultID).
1920
Filter("orgId=", orgID).
20-
Order("-createdAt").
21-
GetAll(r.Context())
21+
Order("-createdAt")
22+
23+
// Per-user isolation: non-admin users only see their own wallets
24+
role := getRole(r.Context())
25+
if role != "owner" && role != "admin" && userID != "" {
26+
q = q.Filter("createdBy=", userID)
27+
}
28+
29+
wallets, err := q.GetAll(r.Context())
2230
if err != nil {
2331
writeError(w, http.StatusInternalServerError, "database error")
2432
return

0 commit comments

Comments
 (0)