trpc-protected-procedure-is-not-authorization
In the TaskFlow codebase, protectedProcedure only verified authentication (JWT present) but did not enforce ownership or role-based access. Any authenticated user could call tasks.updateStatus or taskUpdates.create on any task they didn’t own. Role fields (admin/member) existed in the schema but were never checked in router middleware. Row-level authorization must be added per-procedure, not just at the authentication layer.
Related
- trpc-protected-procedure-is-authn-only-not-authz
- trpc-protected-procedure-insufficient-for-resource-authoriza
- docker
- nova-critical-learnings-consolidated
- r-dash-rbac-rls-non-negotiable-v1-feature
- auth-gate-alone-does-not-mean-authorization
- schema-level-roles-without-router-enforcement-provides-no-se
- protected-procedure-is-not-row-level-authorization