Add team ownership check in /injury set-new #18

New Issue

Closed

opened 2026-02-20 06:48:50 +00:00 by cal · 0 comments

cal commented 2026-02-20 06:48:50 +00:00

Owner

Copy Link

Description

commands/injuries/management.py:418 — The injury_set_new command explicitly skips verifying that the invoking user actually owns the team the player is on. The comment reads: # TODO: Add team ownership verification. Any league player with the Season 13 Players role can currently set an injury on any player on any team without being blocked.

File Locations

• commands/injuries/management.py:418

Labels

security, bug, todo

Priority

high

## Description `commands/injuries/management.py:418` — The `injury_set_new` command explicitly skips verifying that the invoking user actually owns the team the player is on. The comment reads: `# TODO: Add team ownership verification`. Any league player with the `Season 13 Players` role can currently set an injury on any player on any team without being blocked. ## File Locations - `commands/injuries/management.py:418` ## Labels security, bug, todo ## Priority high

cal referenced this issue 2026-03-01 22:10:20 +00:00

Add team ownership verification to /injury set-new #17

cal referenced this issue from a commit 2026-03-01 22:18:38 +00:00

feat: add team ownership verification to /injury set-new and /injury clear (closes #18)

cal referenced a pull request that will close this issue 2026-03-01 22:18:51 +00:00

feat: add team ownership verification to /injury commands (closes #18) #53

cal referenced this issue from a commit 2026-03-01 22:41:06 +00:00

feat: add team ownership verification to /injury set-new and /injury clear (closes #18)

cal referenced this issue from a commit 2026-03-01 23:00:01 +00:00

feat: add team ownership verification to /injury set-new and /injury clear (closes #18)

cal closed this issue 2026-03-02 19:14:41 +00:00

cal referenced this issue from a commit 2026-03-02 19:14:43 +00:00

Merge pull request 'feat: add team ownership verification to /injury commands (closes #18)' (#53) from fix/injury-team-ownership-check into next-release

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/submit-modal-missing-logger

ai/major-domo-v2-91

ai/major-domo-v2-82

fix/scorecard-submission-resilience

fix/utc-timezone-scheduling

fix/scorebug-bugs

2026.3.13

2026.3.12

2026.3.11

2026.3.10

2026.3.9

2026.3.8

2026.3.7

2026.3.6

2026.3.5

2026.3.4

2026.3.3

2026.3.2

2026.3.1

2026.2.5

2026.2.4

2026.2.3

2026.2.2

2026.2.1

Labels

Clear labels   

ai-changes-requested

  

ai-pr-opened

  

ai-reviewed

  

ai-reviewing

  

ai-working

  

in-next-release

Fix included in the next-release branch, pending merge to main

  

status/in-progress

Work is actively in progress

  

status/pr-open

A pull request has been opened for this issue

No Label

ai-changes-requested

ai-pr-opened

ai-reviewed

ai-reviewing

ai-working

in-next-release

status/in-progress

status/pr-open

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/major-domo-v2#18

No description provided.