Innders
commented
1 week ago A user can receive a message from a project they do not have access to.
Closed martastain closed 1 week ago
Innders
commented
1 week ago A user can receive a message from a project they do not have access to.
martastain
commented
1 week ago Hmmm. True, but there's not much they can do with that. As the message does not contain any data, just a bunch of IDs.
It would be nice to filter out messages by access rights tho. I could do that in the websocket module as i hold metadata of connected users. But i think that's out of the scope of this PR. creating a second issue for it.
Innders
commented
1 week ago As the message does not contain any data
projectName is sensitive
martastain
commented
1 week ago Oh. Yes. I'll start working on it.
When an activity is created RT
activity.createdevent is dispatched with a list of all affected entities. that should trigger cache invalidation of the activity feed.Keep in mind, that sender matching will prevent originating browser tab receiving the message, so whoever creates the activity is responsible to invalidate their own cache.
Don't forget subscribing to
activity.createdtopic.(the same structure is used for
activity.updatedandactivity.deletedtopics