feat: list all accounts/applications regardless of access#9
Conversation
Stop filtering ListAccounts/ListApplications by access groups so anyone can see what already exists (prevents accidental name collisions when creating new entries). Detail/CRUD endpoints stay gated. Each list item carries a can_access bool computed server-side. The UI renders locked cards as non-clickable with a lock icon + muted styling instead of the arrow-out affordance.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 37de37d8ad
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| authorized = append(authorized, account) | ||
| } | ||
| response = append(response, accountListItem{ | ||
| AccountWithSecretCount: account, |
There was a problem hiding this comment.
When an authenticated caller lacks this account's access group, the new list item still embeds the full AccountWithSecretCount, so /accounts exposes restricted account metadata such as secret_count, URL, description, group names, and creator/updater IDs even though GetAccount would reject the same caller. If access groups are used to keep an account's secret inventory private, any user can now enumerate that inventory from the list response; return a redacted item for CanAccess == false instead of the full counted model.
Useful? React with 👍 / 👎.
| authorized = append(authorized, application) | ||
| } | ||
| response = append(response, applicationListItem{ | ||
| ApplicationWithSecretCount: application, |
There was a problem hiding this comment.
When a caller is authenticated but not in an application's access group, this still embeds ApplicationWithSecretCount, so /app-secrets reveals the restricted application's secret count and access-group metadata while GetApplication and the secret endpoints remain denied. That lets any user track the contents of applications they cannot open; build a redacted list shape for CanAccess == false or omit the count until the caller is authorized.
Useful? React with 👍 / 👎.
1 participant
ListAccounts/ListApplicationsno longer filter by access groups — everyone can see what exists so new entries don't collide on namescan_access: bool(computed server-side via existingRequestTokenCanAccessAccount/Application)<div>s with aLockicon (replacing theArrowUpRight) andopacity-60muted styling