Add dynamic table check to all db_api handlers

- Added is_table_allowed_with_conn check to get_record_handler - Added is_table_allowed_with_conn check to create_record_handler - Added is_table_allowed_with_conn check to update_record_handler - Added is_table_allowed_with_conn check to delete_record_handler - Returns 404 with clear message if table doesn't exist
2026-01-02 19:18:58 -03:00 · 2026-01-02 19:18:58 -03:00 · 65b2583add
commit 65b2583add
parent 56265ee5d2
1 changed files with 56 additions and 0 deletions
--- a/src/basic/keywords/db_api.rs
+++ b/src/basic/keywords/db_api.rs
@ -256,6 +256,20 @@ pub async fn get_record_handler(
            .into_response();
    };

+    // Check if table actually exists in database (supports dynamic tables from app_generator)
+    if !is_table_allowed_with_conn(&mut conn, &table_name) {
+        warn!("Table not found in database: {}", table_name);
+        return (
+            StatusCode::NOT_FOUND,
+            Json(RecordResponse {
+                success: false,
+                data: None,
+                message: Some(format!("Table '{}' not found", table_name)),
+            }),
+        )
+            .into_response();
+    }
+
    // Check table-level read access
    let access_info =
        match check_table_access(&mut conn, &table_name, &user_roles, AccessType::Read) {
@ -358,6 +372,20 @@ pub async fn create_record_handler(
            .into_response();
    };

+    // Check if table actually exists in database (supports dynamic tables from app_generator)
+    if !is_table_allowed_with_conn(&mut conn, &table_name) {
+        warn!("Table not found in database: {}", table_name);
+        return (
+            StatusCode::NOT_FOUND,
+            Json(RecordResponse {
+                success: false,
+                data: None,
+                message: Some(format!("Table '{}' not found", table_name)),
+            }),
+        )
+            .into_response();
+    }
+
    let access_info =
        match check_table_access(&mut conn, &table_name, &user_roles, AccessType::Write) {
            Ok(info) => info,
@ -494,6 +522,20 @@ pub async fn update_record_handler(
        }
    };

+    // Check if table actually exists in database (supports dynamic tables from app_generator)
+    if !is_table_allowed_with_conn(&mut conn, &table_name) {
+        warn!("Table not found in database: {}", table_name);
+        return (
+            StatusCode::NOT_FOUND,
+            Json(RecordResponse {
+                success: false,
+                data: None,
+                message: Some(format!("Table '{}' not found", table_name)),
+            }),
+        )
+            .into_response();
+    }
+
    // Check table-level write access
    let access_info =
        match check_table_access(&mut conn, &table_name, &user_roles, AccessType::Write) {
@ -591,6 +633,20 @@ pub async fn delete_record_handler(
            .into_response();
    };

+    // Check if table actually exists in database (supports dynamic tables from app_generator)
+    if !is_table_allowed_with_conn(&mut conn, &table_name) {
+        warn!("Table not found in database: {}", table_name);
+        return (
+            StatusCode::NOT_FOUND,
+            Json(DeleteResponse {
+                success: false,
+                deleted: 0,
+                message: Some(format!("Table '{}' not found", table_name)),
+            }),
+        )
+            .into_response();
+    }
+
    if let Err(e) = check_table_access(&mut conn, &table_name, &user_roles, AccessType::Write) {
        return (
            StatusCode::FORBIDDEN,