Tighten user data security

Author: KillerX

backend/internal/graph/api/shared.resolvers.go

@@ -0,0 +1,42 @@
+package api
+
+import (
+	"context"
+
+	"github.com/bcc-media/wayfarer/internal/services"
+)
+
+// canAccessUser checks if currentUserID can access targetUserID's User object.
+//
+// Returns true if any of these conditions are met:
+//   - currentUserID is the target user (self-access)
+//   - currentUserID has admin or superadmin role
+//   - currentUserID has M2M role (for system integration)
+//
+// Returns false otherwise.
+//
+// This function is used to protect User objects from unauthorized access
+// in GraphQL field resolvers that return User or [User] types.
+func canAccessUser(
+	ctx context.Context,
+	roleService *services.RoleService,
+	currentUserID string,
+	targetUserID string,
+) bool {
+	// Self-access always allowed
+	if currentUserID == targetUserID {
+		return true
+	}
+
+	// Admins and superadmins can access any user
+	if roleService.IsAdmin(ctx, currentUserID) {
+		return true
+	}
+
+	// M2M service accounts can access any user
+	if roleService.HasRole(ctx, currentUserID, services.RoleM2M) {
+		return true
+	}
+
+	return false
+}

backend/internal/graph/api/user_authorization.go

@@ -2,7 +2,7 @@ type: http_request
 model: http_request
 id: rq_CreateContentAchievement
 createdAt: 2025-12-11T12:00:00
-updatedAt: 2025-12-13T17:42:53.341427
+updatedAt: 2025-12-13T19:24:01.550689
 workspaceId: wk_XKsmbMdFg7
 folderId: fl_Achievements
 authentication: {}