trpc-protected-procedure-insufficient-for-resource-authorization
protectedProcedure in tRPC only verifies that a user is authenticated — it does not scope queries to resources the user owns or is permitted to access. Without explicit org/role/ownership checks on every router, any authenticated user can read or mutate any other user’s tasks. Authorization must be enforced at the query level, not just at the authentication gate.
Related
- trpc-protected-procedure-is-authn-only-not-authz
- r-same-m1-identity-pass-2-admin-mfa-enroll-password-reset-re
- clawteam-openclaw-multi-agent-swarm-evaluation
- r-dash-wave-2-pass-1-m4-semantic-m5-governance-models-rls-en
- r-same-m1-identity-complete-frontend-integration-tests
- trpc-protected-procedure-is-not-authorization
- auth-gate-alone-does-not-mean-authorization
- schema-level-roles-without-router-enforcement-provides-no-se
- protected-procedure-is-not-row-level-authorization