trpc-protected-procedure-is-authn-only-not-authz
tRPC’s protectedProcedure middleware only verifies that a user is authenticated — it does not enforce resource-level authorization. Any authenticated user can call any procedure (e.g., allTasks, updateStatus on any task, create updates on any task) unless explicit org_id/ownership checks are added per router. Role columns (admin vs member) in the schema are ignored unless the router code actively reads and enforces them.
Related
- r-same-m1-identity-complete-frontend-integration-tests
- salesforce
- r-same-m2-data-sources-m3-query-engine-foundation
- docker
- r-same-m1-identity-pass-2-admin-mfa-enroll-password-reset-re
- trpc-protected-procedure-insufficient-for-resource-authoriza
- trpc-protected-procedure-is-not-authorization
- auth-gate-alone-does-not-mean-authorization
- schema-level-roles-without-router-enforcement-provides-no-se
- protected-procedure-is-not-row-level-authorization