+5

pkg/appview/storage/proxy_blob_store.go

reviewed

··· 97 97 if p.ctx.Authorizer == nil { 98 98 return nil // No authorization check if authorizer not configured 99 99 } 100 100 + 101 101 + fmt.Printf("[checkWriteAccess] Checking write access for userDID=%s to holdDID=%s\n", p.ctx.DID, p.ctx.HoldDID) 100 102 allowed, err := p.ctx.Authorizer.CheckWriteAccess(ctx, p.ctx.HoldDID, p.ctx.DID) 101 103 if err != nil { 104 104 + fmt.Printf("[checkWriteAccess] Authorization check error: %v\n", err) 102 105 return fmt.Errorf("authorization check failed: %w", err) 103 106 } 104 107 if !allowed { 108 108 + fmt.Printf("[checkWriteAccess] Write access DENIED for userDID=%s to holdDID=%s\n", p.ctx.DID, p.ctx.HoldDID) 105 109 return fmt.Errorf("write access denied to hold %s", p.ctx.HoldDID) 106 110 } 111 111 + fmt.Printf("[checkWriteAccess] Write access ALLOWED for userDID=%s to holdDID=%s\n", p.ctx.DID, p.ctx.HoldDID) 107 112 return nil 108 113 } 109 114

+9

pkg/auth/hold_authorizer.go

reviewed

··· 55 55 // - Must be authenticated 56 56 // - Must be hold owner OR crew member 57 57 func CheckWriteAccessWithCaptain(captain *atproto.CaptainRecord, userDID string, isCrew bool) bool { 58 58 + fmt.Printf("[CheckWriteAccessWithCaptain] userDID=%s captain.Owner=%s isCrew=%v\n", userDID, captain.Owner, isCrew) 59 59 + 58 60 if userDID == "" { 59 61 // Anonymous writes not allowed 62 62 + fmt.Printf("[CheckWriteAccessWithCaptain] DENIED: Anonymous user\n") 60 63 return false 61 64 } 62 65 63 66 // Check if DID is the hold owner 64 67 if userDID == captain.Owner { 65 68 // Owner always has write access 69 69 + fmt.Printf("[CheckWriteAccessWithCaptain] ALLOWED: User is hold owner\n") 66 70 return true 67 71 } 68 72 69 73 // Check if DID is a crew member 74 74 + if isCrew { 75 75 + fmt.Printf("[CheckWriteAccessWithCaptain] ALLOWED: User is crew member\n") 76 76 + } else { 77 77 + fmt.Printf("[CheckWriteAccessWithCaptain] DENIED: User is not owner or crew\n") 78 78 + } 70 79 return isCrew 71 80 } 72 81

+6

pkg/auth/hold_remote.go

reviewed

··· 265 265 266 266 // Check approval cache first (15min TTL) 267 267 if approved, err := a.getCachedApproval(holdDID, userDID); err == nil && approved { 268 268 + fmt.Printf("[IsCrewMember] Using cached APPROVAL: holdDID=%s userDID=%s\n", holdDID, userDID) 268 269 return true, nil 269 270 } 270 271 271 272 // Check denial cache with backoff 272 273 if blocked, err := a.isBlockedByDenialBackoff(holdDID, userDID); err == nil && blocked { 273 274 // Still in backoff period - don't query again 275 275 + fmt.Printf("[IsCrewMember] BLOCKED by denial backoff cache: holdDID=%s userDID=%s\n", holdDID, userDID) 274 276 return false, nil 275 277 } 276 278 277 279 // Cache miss or expired - query XRPC endpoint 280 280 + fmt.Printf("[IsCrewMember] Cache miss, querying hold: holdDID=%s userDID=%s\n", holdDID, userDID) 278 281 isCrew, err := a.isCrewMemberNoCache(ctx, holdDID, userDID) 279 282 if err != nil { 283 283 + fmt.Printf("[IsCrewMember] Query error: %v\n", err) 280 284 return false, err 281 285 } 282 286 283 287 // Update cache based on result 284 288 if isCrew { 285 289 // Cache approval for 15 minutes 290 290 + fmt.Printf("[IsCrewMember] Query result: APPROVED, caching for 15min\n") 286 291 _ = a.cacheApproval(holdDID, userDID, 15*time.Minute) 287 292 } else { 288 293 // Cache denial with exponential backoff 294 294 + fmt.Printf("[IsCrewMember] Query result: DENIED, caching with backoff\n") 289 295 _ = a.cacheDenial(holdDID, userDID) 290 296 } 291 297