From 65b2583add9c6080bd52ee8f169c6472ebed0e32 Mon Sep 17 00:00:00 2001
From: "Rodrigo Rodriguez (Pragmatismo)" <me@rodrigorodriguez.com>
Date: Fri, 2 Jan 2026 19:18:58 -0300
Subject: [PATCH] Add dynamic table check to all db_api handlers

- Added is_table_allowed_with_conn check to get_record_handler
- Added is_table_allowed_with_conn check to create_record_handler
- Added is_table_allowed_with_conn check to update_record_handler
- Added is_table_allowed_with_conn check to delete_record_handler
- Returns 404 with clear message if table doesn't exist
---
 src/basic/keywords/db_api.rs | 56 ++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/src/basic/keywords/db_api.rs b/src/basic/keywords/db_api.rs
index a48c266d2..a7d24b939 100644
--- a/src/basic/keywords/db_api.rs
+++ b/src/basic/keywords/db_api.rs
@@ -256,6 +256,20 @@ pub async fn get_record_handler(
             .into_response();
     };
 
+    // Check if table actually exists in database (supports dynamic tables from app_generator)
+    if !is_table_allowed_with_conn(&mut conn, &table_name) {
+        warn!("Table not found in database: {}", table_name);
+        return (
+            StatusCode::NOT_FOUND,
+            Json(RecordResponse {
+                success: false,
+                data: None,
+                message: Some(format!("Table '{}' not found", table_name)),
+            }),
+        )
+            .into_response();
+    }
+
     // Check table-level read access
     let access_info =
         match check_table_access(&mut conn, &table_name, &user_roles, AccessType::Read) {
@@ -358,6 +372,20 @@ pub async fn create_record_handler(
             .into_response();
     };
 
+    // Check if table actually exists in database (supports dynamic tables from app_generator)
+    if !is_table_allowed_with_conn(&mut conn, &table_name) {
+        warn!("Table not found in database: {}", table_name);
+        return (
+            StatusCode::NOT_FOUND,
+            Json(RecordResponse {
+                success: false,
+                data: None,
+                message: Some(format!("Table '{}' not found", table_name)),
+            }),
+        )
+            .into_response();
+    }
+
     let access_info =
         match check_table_access(&mut conn, &table_name, &user_roles, AccessType::Write) {
             Ok(info) => info,
@@ -494,6 +522,20 @@ pub async fn update_record_handler(
         }
     };
 
+    // Check if table actually exists in database (supports dynamic tables from app_generator)
+    if !is_table_allowed_with_conn(&mut conn, &table_name) {
+        warn!("Table not found in database: {}", table_name);
+        return (
+            StatusCode::NOT_FOUND,
+            Json(RecordResponse {
+                success: false,
+                data: None,
+                message: Some(format!("Table '{}' not found", table_name)),
+            }),
+        )
+            .into_response();
+    }
+
     // Check table-level write access
     let access_info =
         match check_table_access(&mut conn, &table_name, &user_roles, AccessType::Write) {
@@ -591,6 +633,20 @@ pub async fn delete_record_handler(
             .into_response();
     };
 
+    // Check if table actually exists in database (supports dynamic tables from app_generator)
+    if !is_table_allowed_with_conn(&mut conn, &table_name) {
+        warn!("Table not found in database: {}", table_name);
+        return (
+            StatusCode::NOT_FOUND,
+            Json(DeleteResponse {
+                success: false,
+                deleted: 0,
+                message: Some(format!("Table '{}' not found", table_name)),
+            }),
+        )
+            .into_response();
+    }
+
     if let Err(e) = check_table_access(&mut conn, &table_name, &user_roles, AccessType::Write) {
         return (
             StatusCode::FORBIDDEN,