Received: from mail.netlandish.com (mail.netlandish.com [174.136.98.166]) by code.netlandish.com (Postfix) with ESMTP id 4B0C3337 for <~netlandish/links-dev@lists.code.netlandish.com>; Thu, 05 Mar 2026 23:49:39 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.217.49; helo=mail-vs1-f49.google.com; envelope-from=peter@netlandish.com; receiver= Authentication-Results: mail.netlandish.com; dkim=pass (1024-bit key; unprotected) header.d=netlandish.com header.i=@netlandish.com header.b=WA2EBJSb Received: from mail-vs1-f49.google.com (mail-vs1-f49.google.com [209.85.217.49]) by mail.netlandish.com (Postfix) with ESMTP id 4C4031D8156 for <~netlandish/links-dev@lists.code.netlandish.com>; Thu, 05 Mar 2026 23:49:37 +0000 (UTC) Received: by mail-vs1-f49.google.com with SMTP id ada2fe7eead31-5ffabb1dfbaso1348456137.3 for <~netlandish/links-dev@lists.code.netlandish.com>; Thu, 05 Mar 2026 15:49:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netlandish.com; s=google; t=1772754576; x=1773359376; darn=lists.code.netlandish.com; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=0tE4oAAsbfOrC21VxneCBFIo5r2cXmr1ZyZ1Q6Y/p7s=; b=WA2EBJSbUcLLbrjMxOLcGHflIoC0sCq/L1qqxrkGo7mwWN3npNVTWWdnou3iLfm9Qh g4MqTTickfiU1v7h4ZHhx+zXxm6QbFxqfISD5vMSDsPjW/Rr+vZmZKyzcRn0W5Wv466B BPPABM8su7tNpwjK0RaZvUSYhkkm2Z2apptw4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772754576; x=1773359376; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=0tE4oAAsbfOrC21VxneCBFIo5r2cXmr1ZyZ1Q6Y/p7s=; b=D17VtnkE1vkJZgm/wNeK1SQbfC+/0sjMbqrwiZq1l4raRyga6PRDOpCFdxh8LFun9J zHVthdoj9llfwvnc2+bgSRrNF1va0xgjw7WfHILm6ATwou2YpUF0Ml2mNFDgEE1v4Zgr AF+gZJSerQZpyPy5k7W2TqfawFLbbfl/rMVCQ24VBLwvPhEEiFZMKZie3NB5Fmlca5O9 3cc+B4uzbA6ujn03ilXPs7R3pgf5CyfrKviFwoF7ghzCY2Tw8k3yVBZIi9cm6dPnlo3q LKWbPT4NbouoxGN6dYHCw//K4/Jv2A+k0NB7aH8YB3k4fobyG9dhh46BV2KjPwB+b7c0 jYLw== X-Gm-Message-State: AOJu0YzWZWn+pQyB/BSILh7FZtMEl5vIB6sAK1HI5P7tEdcTzFLy2UB3 1DcFQEDYMRJEqaOarZqzIUpID5vriWhTSJhiCcDTUbzbdmDlLem/xjcRdEwo8CwID/79hOSPbBH 6W6zCm/E= X-Gm-Gg: ATEYQzxiEgbRhqHZafp0I94YD2EA3LNG3w6WkrVb2TnOkYt3pP9xsP7DjymeSj/6X4K eg0jKP0+EwNFB+rmB9ztAmb8eo5vbekxABQ6Y/3vrqdx1isjdf35wLKGuUIa44ZUGhSm+oe+CZ3 3VqRwXa7jXVuNAHp/caxA9L6+x2e+3goPwT9L32IVnmO6hq9cTFrRIFn17KzsbivQpIMIkbbiN5 XhMyolpBdUB5OFWFWPIDFO2RUo5pcZcyxMnQNFdRdrHHSqyXg2F0LF16x3JrcUdaWRhygacV/Oo qmg8DDRISjokRm3c9D4U+JU98rLk0NV8Gzvv+Mu12cqLOCRBBfwk6j8z+dIdDSe8CImDpP3UyDG b180xdDRQLsnskc8GlquvrLQou8LEpH0B3ed3vMJ3sbi7WP8Hrj0uHED1CxKMtHOKOEo0hFlapY X4mwi0Dy3GDaUjjwHPPV5c5Q== X-Received: by 2002:a05:6102:3ec3:b0:5ff:a34:6ce8 with SMTP id ada2fe7eead31-5ffe6120b4amr75550137.20.1772754576571; Thu, 05 Mar 2026 15:49:36 -0800 (PST) Received: from localhost ([186.77.196.208]) by smtp.gmail.com with ESMTPSA id ada2fe7eead31-5ffa1fbd888sm8342425137.0.2026.03.05.15.49.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 15:49:35 -0800 (PST) From: Peter Sanchez To: ~netlandish/links-dev@lists.code.netlandish.com Cc: Peter Sanchez Subject: [PATCH links] api: fix leaking of org follow/unfollow requests Date: Thu, 5 Mar 2026 17:49:30 -0600 Message-ID: <20260305234932.15616-1-peter@netlandish.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit when a user (un)follows an organization there is an audit log recorded of this action for the user. However because of a filtering issue those (un)follow logs can also be viewed by the organizations owner. This can expose the origin users IP address. This filter adjustment will resolve this issue. Changelog-fixed: api fix to stop leaking of (un)follow auditlogs Changelog-updated: api version to 0.11.1 --- api/graph/schema.resolvers.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/api/graph/schema.resolvers.go b/api/graph/schema.resolvers.go index 6146a0e..55e5c5a 100644 --- a/api/graph/schema.resolvers.go +++ b/api/graph/schema.resolvers.go @@ -5127,7 +5127,7 @@ func (r *queryResolver) Version(ctx context.Context) (*model.Version, error) { return &model.Version{ Major: 0, Minor: 11, - Patch: 0, + Patch: 1, DeprecationDate: nil, }, nil } @@ -7046,6 +7046,10 @@ func (r *queryResolver) GetAuditLogs(ctx context.Context, input *model.AuditLogI opts.Filter = sq.And{ opts.Filter, sq.Eq{"(al.metadata->>'org_id')": org.ID}, + sq.NotEq{"al.event_type": []string{ + models.LOG_ORG_FOLLOW, + models.LOG_ORG_UNFOLLOW, + }}, } } -- 2.52.0