9dd944226d
Three security-review findings on migration 002: - pages.space_id and refs.space_id changed to NOT NULL + ON DELETE CASCADE (was nullable + SET NULL, which allowed orphan rows surviving space deletion). - pages.parent_id wrapped in composite FK (parent_id, space_id) -> pages(id, space_id) to prevent cross-space parent linkage (same pattern as tasks.project_id in 001). - idx_refs_external promoted to UNIQUE on (space_id, source_kind, external_id); upsertByExternal now requires space_id and dedups per-space, not globally. Added 3 regression tests covering composite FK rejection, CASCADE-on-space-delete, and per-space dedup independence.
83 lines
2.6 KiB
JavaScript
83 lines
2.6 KiB
JavaScript
import { pool } from '../pool.js';
|
|
import { recordAudit } from './audit_stub.js';
|
|
|
|
const FIELDS = [
|
|
'space_id','kind','source_url','title','description','summary',
|
|
'body_text','blob_path','thumbnail','metadata','embedding','status',
|
|
'source_kind','external_id','captured_at'
|
|
];
|
|
|
|
export async function create(input, actor) {
|
|
const cols = [], vals = [], placeholders = [];
|
|
let i = 1;
|
|
for (const f of FIELDS) {
|
|
if (input[f] !== undefined) {
|
|
cols.push(f); vals.push(input[f]); placeholders.push(`$${i++}`);
|
|
}
|
|
}
|
|
const { rows: [r] } = await pool.query(
|
|
`INSERT INTO refs(${cols.join(',')})
|
|
VALUES(${placeholders.join(',')}) RETURNING *`,
|
|
vals
|
|
);
|
|
await recordAudit(actor, 'create', 'ref', r.id, null, r);
|
|
return r;
|
|
}
|
|
|
|
export async function getById(id) {
|
|
const { rows: [r] } = await pool.query(`SELECT * FROM refs WHERE id=$1`, [id]);
|
|
return r;
|
|
}
|
|
|
|
export async function upsertByExternal(input, actor) {
|
|
const { space_id, source_kind, external_id } = input;
|
|
if (!space_id || !source_kind || !external_id) {
|
|
throw new Error('upsertByExternal requires space_id + source_kind + external_id');
|
|
}
|
|
const { rows: [existing] } = await pool.query(
|
|
`SELECT * FROM refs WHERE space_id=$1 AND source_kind=$2 AND external_id=$3`,
|
|
[space_id, source_kind, external_id]
|
|
);
|
|
if (existing) {
|
|
return update(existing.id, input, actor);
|
|
}
|
|
return create(input, actor);
|
|
}
|
|
|
|
export async function list({ space_id, kind, limit = 100, offset = 0 } = {}) {
|
|
const where = [], vals = [];
|
|
let i = 1;
|
|
if (space_id) { where.push(`space_id=$${i++}`); vals.push(space_id); }
|
|
if (kind) { where.push(`kind=$${i++}`); vals.push(kind); }
|
|
const w = where.length ? `WHERE ${where.join(' AND ')}` : '';
|
|
vals.push(limit, offset);
|
|
const { rows } = await pool.query(
|
|
`SELECT * FROM refs ${w} ORDER BY captured_at DESC LIMIT $${i++} OFFSET $${i}`,
|
|
vals
|
|
);
|
|
return rows;
|
|
}
|
|
|
|
export async function update(id, patch, actor) {
|
|
const before = await getById(id);
|
|
const sets = [], vals = [];
|
|
let i = 1;
|
|
for (const f of FIELDS) {
|
|
if (patch[f] !== undefined) { sets.push(`${f}=$${i++}`); vals.push(patch[f]); }
|
|
}
|
|
sets.push(`updated_at=now()`);
|
|
vals.push(id);
|
|
const { rows: [r] } = await pool.query(
|
|
`UPDATE refs SET ${sets.join(', ')} WHERE id=$${i} RETURNING *`,
|
|
vals
|
|
);
|
|
await recordAudit(actor, 'update', 'ref', id, before, r);
|
|
return r;
|
|
}
|
|
|
|
export async function del(id, actor) {
|
|
const before = await getById(id);
|
|
await pool.query(`DELETE FROM refs WHERE id=$1`, [id]);
|
|
await recordAudit(actor, 'delete', 'ref', id, before, null);
|
|
}
|