From c8d8c52d6e4d7bc5716f7e5848dad2de4aea55e1 Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Thu, 19 Feb 2026 13:10:31 +0100
Subject: dashboard/app: fix API access checks

Currently we permit per-namespace clients to access global APIs.
For example, a secondary OS syz-manager client can poll bugs
from all namespaces. This is wrong and bad. Don't permit namespace
clients to access global APIs.
---
 dashboard/app/commit_poll_test.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'dashboard/app/commit_poll_test.go')

diff --git a/dashboard/app/commit_poll_test.go b/dashboard/app/commit_poll_test.go
index 5f80db826..e0f6fa92f 100644
--- a/dashboard/app/commit_poll_test.go
+++ b/dashboard/app/commit_poll_test.go
@@ -19,11 +19,11 @@ func TestCommitPoll(t *testing.T) {
 
 	crash1 := testCrash(build1, 1)
 	c.client.ReportCrash(crash1)
-	rep1 := c.client.pollBug()
+	rep1 := c.globalClient.pollBug()
 
 	crash2 := testCrash(build1, 2)
 	c.client.ReportCrash(crash2)
-	rep2 := c.client.pollBug()
+	rep2 := c.globalClient.pollBug()
 
 	// No commits in commit poll.
 	commitPollResp, err := c.client.CommitPoll()
@@ -36,7 +36,7 @@ func TestCommitPoll(t *testing.T) {
 	c.expectEQ(len(commitPollResp.Commits), 0)
 
 	// Specify fixing commit for the bug.
-	reply, _ := c.client.ReportingUpdate(&dashapi.BugUpdate{
+	reply, _ := c.globalClient.ReportingUpdate(&dashapi.BugUpdate{
 		ID:         rep1.ID,
 		Status:     dashapi.BugStatusOpen,
 		FixCommits: []string{"foo: fix1", "foo: fix2"},
-- 
cgit mrf-deployment