fix: add nil check for currentUser in DeleteUser

Defense-in-depth fix: Add missing nil check before accessing currentUser.ID and currentUser.Role in DeleteUser function. While the auth interceptor should block unauthenticated requests, this check prevents potential nil pointer panic if fetchCurrentUser returns (nil, nil).

fix: add nil check for currentUser in DeleteUser
Defense-in-depth fix: Add missing nil check before accessing currentUser.ID and currentUser.Role in DeleteUser function. While the auth interceptor should block unauthenticated requests, this check prevents potential nil pointer panic if fetchCurrentUser returns (nil, nil).
1696c6c4 · Johnny · c7b48b80 · 1696c6c4
Commit 1696c6c4 authored Jan 31, 2026 by Johnny
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

user_service.go server/router/api/v1/user_service.go +3 -0

No files found.
--- a/server/router/api/v1/user_service.go
+++ b/server/router/api/v1/user_service.go
@@ -301,6 +301,9 @@ func (s *APIV1Service) DeleteUser(ctx context.Context, request *v1pb.DeleteUserR
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
 	}
+	if currentUser == nil {
+		return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
+	}
 	if currentUser.ID != userID && currentUser.Role != store.RoleAdmin {
 		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
 	}