RomanNum3ral
/
gstack
mirror of https://github.com/garrytan/gstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: newtab blocked by tab ownership check for scoped tokens 

The tab ownership check ran before the newtab handler, checking
the active tab (owned by root) against the scoped token. Since
the scoped token doesn't own the root tab, newtab returned 403.
Skip the ownership check for newtab since it creates a new tab.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan 2026-04-06 16:28:22 -07:00
parent 3d53a7595f
commit fcb37d5cfe
No known key found for this signature in database
GPG Key ID: C1F69E85C74EFE1D
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
browse/src/server.ts
View File

@ -929,7 +929,8 @@ async function handleCommandInternal(
}
// ─── Tab ownership check (for scoped tokens) ──────────────
if (tokenInfo && tokenInfo.clientId !== 'root' && (WRITE_COMMANDS.has(command) || tokenInfo.tabPolicy === 'own-only')) {
// Skip for newtab — it creates a new tab, doesn't access an existing one.
if (command !== 'newtab' && tokenInfo && tokenInfo.clientId !== 'root' && (WRITE_COMMANDS.has(command) || tokenInfo.tabPolicy === 'own-only')) {
const targetTab = tabId ?? browserManager.getActiveTabId();
if (!browserManager.checkTabAccess(targetTab, tokenInfo.clientId, { isWrite: WRITE_COMMANDS.has(command), ownOnly: tokenInfo.tabPolicy === 'own-only' })) {
return {