Closed martastain closed 1 week ago
A user can receive a message from a project they do not have access to.
Hmmm. True, but there's not much they can do with that. As the message does not contain any data, just a bunch of IDs.
It would be nice to filter out messages by access rights tho. I could do that in the websocket module as i hold metadata of connected users. But i think that's out of the scope of this PR. creating a second issue for it.
As the message does not contain any data
projectName is sensitive
Oh. Yes. I'll start working on it.
When an activity is created RT
activity.created
event is dispatched with a list of all affected entities. that should trigger cache invalidation of the activity feed.Keep in mind, that sender matching will prevent originating browser tab receiving the message, so whoever creates the activity is responsible to invalidate their own cache.
Don't forget subscribing to
activity.created
topic.(the same structure is used for
activity.updated
andactivity.deleted
topics