bug: /projects and /boards endpoints don't filter by is_public for unauthenticated requests

forgejo_admin commented

2026-03-16 23:49:26 +00:00

Owner

Lineage

plan-pal-e-docs → Phase F14 (phase-pal-e-docs-f14-public-readiness)

Repo

forgejo_admin/pal-e-docs

User Story

As a public visitor browsing pal-e-docs without authentication
I want to only see public projects and boards
So that private projects (like "Private" and "Remember") and their boards are not exposed to me

Context

Phase F6 (PR #179) added is_public filtering to all note endpoints using get_is_authenticated() in auth.py. The /projects and /boards endpoints were not updated with the same filtering. Currently:

GET /projects returns ALL projects including ones with is_public=false
GET /boards returns ALL boards including boards belonging to private projects
GET /boards/{slug} returns board details even for private project boards

The portfolio site needs pal-e-docs to be safe for public traffic before it can link to it.

File Targets

Files the agent should modify:

src/pal_e_docs/routes/projects.py — add is_public filtering using get_is_authenticated() dependency
src/pal_e_docs/routes/boards.py — add project-level is_public filtering for list and get endpoints
tests/test_projects.py (or equivalent) — new tests for auth filtering
tests/test_boards.py (or equivalent) — new tests for auth filtering

Files the agent should reference (do not modify):

src/pal_e_docs/auth.py — existing get_is_authenticated() implementation to follow
src/pal_e_docs/routes/notes.py — reference implementation of is_public filtering

Acceptance Criteria

When I curl /projects without X-PaleDocs-Token, then projects with is_public=false are NOT in the response
When I curl /projects WITH valid token, then ALL projects are returned
When I curl /boards without token, then boards belonging to is_public=false projects are NOT in the response
When I curl /boards/{slug} without token for a board on a private project, then I get 404
When I curl /boards/{slug} WITH token for a board on a private project, then I get the board

Test Expectations

Unit tests: unauthenticated requests to /projects filter is_public=false projects
Unit tests: unauthenticated requests to /boards filter boards on private projects
Unit tests: authenticated requests to both endpoints return all entities
Follow test pattern from PR #179 (F6 added 30 auth filtering tests)
Run command: pytest tests/ -k "project" -v and pytest tests/ -k "board" -v

Constraints

Use existing get_is_authenticated() from auth.py — do not create a new auth mechanism
Follow the exact pattern used in routes/notes.py for is_public filtering
Projects model has is_public field — use it directly
For boards, filter by joining to the parent project's is_public field

Checklist

PR opened
Tests pass
No unrelated changes

project-pal-e-docs — project this affects
phase-pal-e-docs-private-notes — Phase F6, the foundation this extends

### Lineage `plan-pal-e-docs` → Phase F14 (`phase-pal-e-docs-f14-public-readiness`) ### Repo `forgejo_admin/pal-e-docs` ### User Story As a public visitor browsing pal-e-docs without authentication I want to only see public projects and boards So that private projects (like "Private" and "Remember") and their boards are not exposed to me ### Context Phase F6 (PR #179) added `is_public` filtering to all note endpoints using `get_is_authenticated()` in `auth.py`. The `/projects` and `/boards` endpoints were not updated with the same filtering. Currently: - `GET /projects` returns ALL projects including ones with `is_public=false` - `GET /boards` returns ALL boards including boards belonging to private projects - `GET /boards/{slug}` returns board details even for private project boards The portfolio site needs pal-e-docs to be safe for public traffic before it can link to it. ### File Targets Files the agent should modify: - `src/pal_e_docs/routes/projects.py` — add `is_public` filtering using `get_is_authenticated()` dependency - `src/pal_e_docs/routes/boards.py` — add project-level `is_public` filtering for list and get endpoints - `tests/test_projects.py` (or equivalent) — new tests for auth filtering - `tests/test_boards.py` (or equivalent) — new tests for auth filtering Files the agent should reference (do not modify): - `src/pal_e_docs/auth.py` — existing `get_is_authenticated()` implementation to follow - `src/pal_e_docs/routes/notes.py` — reference implementation of `is_public` filtering ### Acceptance Criteria - [ ] When I `curl /projects` without `X-PaleDocs-Token`, then projects with `is_public=false` are NOT in the response - [ ] When I `curl /projects` WITH valid token, then ALL projects are returned - [ ] When I `curl /boards` without token, then boards belonging to `is_public=false` projects are NOT in the response - [ ] When I `curl /boards/{slug}` without token for a board on a private project, then I get 404 - [ ] When I `curl /boards/{slug}` WITH token for a board on a private project, then I get the board ### Test Expectations - [ ] Unit tests: unauthenticated requests to `/projects` filter `is_public=false` projects - [ ] Unit tests: unauthenticated requests to `/boards` filter boards on private projects - [ ] Unit tests: authenticated requests to both endpoints return all entities - [ ] Follow test pattern from PR #179 (F6 added 30 auth filtering tests) - Run command: `pytest tests/ -k "project" -v` and `pytest tests/ -k "board" -v` ### Constraints - Use existing `get_is_authenticated()` from `auth.py` — do not create a new auth mechanism - Follow the exact pattern used in `routes/notes.py` for `is_public` filtering - Projects model has `is_public` field — use it directly - For boards, filter by joining to the parent project's `is_public` field ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-pal-e-docs` — project this affects - `phase-pal-e-docs-private-notes` — Phase F6, the foundation this extends