iven/erp
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(config): resolve critical audit findings from Phase 1-3 review

Browse Source 
- C-1: Add tenant_id to settings unique index to prevent cross-tenant conflicts
- C-2: Move pg_advisory_xact_lock inside the transaction for correct concurrency
  (previously lock was released before the numbering transaction started)
- H-5: Add CORS middleware (permissive for dev, TODO: restrict in production)
This commit is contained in:
iven
2026-04-11 08:26:43 +08:00
parent 0baaf5f7ee
commit 0cbd08eb78
3 changed files with 22 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
crates/erp-server/migration/src/m20260412_000016_create_settings.rs
View File

@@ -68,7 +68,7 @@ impl MigrationTrait for Migration {
manager.get_connection().execute(sea_orm::Statement::from_string(
sea_orm::DatabaseBackend::Postgres,
"CREATE UNIQUE INDEX idx_settings_scope_key ON settings (scope, scope_id, setting_key) WHERE deleted_at IS NULL".to_string(),
"CREATE UNIQUE INDEX idx_settings_scope_key ON settings (tenant_id, scope, scope_id, setting_key) WHERE deleted_at IS NULL".to_string(),
)).await.map_err(|e| DbErr::Custom(e.to_string()))?;
Ok(())