748ea59c80
Permission service:
- Add hasAccess() with explicit minLevel param, deprecate canAccess()
- Cycle protection + depth limit (50) on all parent traversal
- Pick highest access level across multiple roles (was using first match)
- isPublic only grants view on directly requested folder, not inherited
- Sanitize file extension from content-type
- Clean up orphaned traverse perms when removing permissions
- Add getPermissionById() for authz checks on permission deletion
Storage routes:
- All write ops require edit via hasAccess() — traverse can no longer
create folders, upload files, rename, toggle isPublic, or delete
- Permission delete requires admin access on the folder
- Permission list requires admin access on the folder
- Folder children listing filtered by user access
- File search results filtered by user access (was returning all)
- Signed URL requires view (was using canAccess which allows traverse)
WebDAV:
- 100MB upload size limit (was unbounded — OOM risk)
- PROPFIND root filters folders by user access (was listing all)
- COPY uses hasAccess('view') not canAccess (traverse bypass)
- All writes use hasAccess('edit') consistently
- MKCOL at root requires files.delete permission
- Lock ownership enforced on UNLOCK (was allowing any user)
- Lock conflict check on LOCK (423 if locked by another user)
- Lock enforcement on PUT and DELETE (423 if locked by another)
- Max 100 locks per user, periodic expired lock cleanup
- Path traversal protection: reject .. and null bytes in segments
- Brute-force protection: 10 failed attempts per IP, 5min lockout
Forte
Music store management platform — POS, inventory, rentals, lessons, repairs, and accounting.
Built by Lunarfront Tech LLC.
Tech Stack
- Runtime: Bun
- Language: TypeScript (end-to-end)
- API: Fastify + Drizzle ORM + PostgreSQL 16
- Frontend: React + TanStack Router + TanStack Query
- Validation: Zod (shared schemas)
- Queue/Cache: BullMQ + Valkey 8
- Monorepo: Turborepo + Bun workspaces
Quick Start
bun install
cp .env.example .env # configure DATABASE_URL, REDIS_URL, JWT_SECRET
cd packages/backend && bunx drizzle-kit migrate
bun run dev # starts backend (:8000) + admin UI (:5173)
Packages
| Package | Description |
|---|---|
packages/backend |
Fastify API server |
packages/admin |
Admin UI (React + Vite) |
packages/shared |
Zod schemas, types, shared utils |
Documentation
| Doc | Description |
|---|---|
| Setup | Prerequisites, environment, installation, running |
| Architecture | Monorepo structure, backend/frontend design, state management |
| API Reference | All endpoints, pagination, auth, permissions |
| Database | Schema overview, migrations, multi-tenancy |
| Testing | Test runner, suites, writing tests, assertions |
Commands
bun run dev # start all packages in dev mode
bun run test # run all tests
bun run lint # lint all packages
bun run format # format with Prettier
License
Proprietary. All rights reserved.