fix(security): implement security review recommendations

This commit addresses all critical and high-priority recommendations from the security review:

**Critical Fixes:**
- Add nil checks before accessing memo properties in SetMemoAttachments and SetMemoRelations
  to prevent potential nil pointer dereference
- Fix information disclosure in DeleteMemoReaction by returning consistent errors
  (now returns permission denied instead of not found to avoid revealing reaction existence)

**Medium Priority Improvements:**
- Add GetReaction() method to store interface for better performance
  (single reaction lookup instead of list operation)
- Implement GetReaction() in all database drivers (SQLite, MySQL, PostgreSQL)
- Update DeleteMemoReaction to use the new GetReaction() method

**Test Coverage:**
- Add comprehensive test coverage for SetMemoAttachments authorization checks
- Add comprehensive test coverage for SetMemoRelations authorization checks
- Add comprehensive test coverage for DeleteMemoReaction authorization checks
- Add comprehensive test coverage for CreateUser registration enforcement

All tests follow the same patterns as existing IDP service tests and cover:
- Success cases for resource owners
- Success cases for superuser/host users
- Permission denied cases for non-owners
- Unauthenticated access attempts
- Not found scenarios

Related to PR #5217 security review recommendations.

Author: claude

server/router/api/v1/memo_attachment_service.go

@@ -29,6 +29,9 @@ func (s *APIV1Service) SetMemoAttachments(ctx context.Context, request *v1pb.Set
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to get memo")
 	}
+	if memo == nil {
+		return nil, status.Errorf(codes.NotFound, "memo not found")
+	}
 	if memo.CreatorID != user.ID && !isSuperUser(user) {
 		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
 	}

server/router/api/v1/memo_relation_service.go

@@ -29,6 +29,9 @@ func (s *APIV1Service) SetMemoRelations(ctx context.Context, request *v1pb.SetMe
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to get memo")
 	}
+	if memo == nil {
+		return nil, status.Errorf(codes.NotFound, "memo not found")
+	}
 	if memo.CreatorID != user.ID && !isSuperUser(user) {
 		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
 	}

server/router/api/v1/reaction_service.go

@@ -69,17 +69,17 @@ func (s *APIV1Service) DeleteMemoReaction(ctx context.Context, request *v1pb.Del
 	}
 
 	// Get reaction and check ownership
-	reactions, err := s.Store.ListReactions(ctx, &store.FindReaction{
+	reaction, err := s.Store.GetReaction(ctx, &store.FindReaction{
 		ID: &reactionID,
 	})
 	if err != nil {
-		return nil, status.Errorf(codes.Internal, "failed to list reactions")
+		return nil, status.Errorf(codes.Internal, "failed to get reaction")
 	}
-	if len(reactions) == 0 {
-		return nil, status.Errorf(codes.NotFound, "reaction not found")
+	if reaction == nil {
+		// Return permission denied to avoid revealing if reaction exists
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
 	}
 
-	reaction := reactions[0]
 	if reaction.CreatorID != user.ID && !isSuperUser(user) {
 		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
 	}

server/router/api/v1/test/memo_attachment_service_test.go

@@ -0,0 +1,166 @@
+package test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	apiv1 "github.com/usememos/memos/proto/gen/api/v1"
+)
+
+func TestSetMemoAttachments(t *testing.T) {
+	ctx := context.Background()
+
+	t.Run("SetMemoAttachments success by memo owner", func(t *testing.T) {
+		ts := NewTestService(t)
+		defer ts.Cleanup()
+
+		// Create user
+		user, err := ts.CreateRegularUser(ctx, "user")
+		require.NoError(t, err)
+		userCtx := ts.CreateUserContext(ctx, user.ID)
+
+		// Create memo
+		memo, err := ts.Service.CreateMemo(userCtx, &apiv1.CreateMemoRequest{
+			Memo: &apiv1.Memo{
+				Content:    "Test memo",
+				Visibility: apiv1.Visibility_PRIVATE,
+			},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, memo)
+
+		// Create attachment
+		attachment, err := ts.Service.CreateAttachment(userCtx, &apiv1.CreateAttachmentRequest{
+			Attachment: &apiv1.Attachment{
+				Filename: "test.txt",
+				Size:     5,
+				Type:     "text/plain",
+				Content:  []byte("hello"),
+			},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, attachment)
+
+		// Set memo attachments - should succeed
+		_, err = ts.Service.SetMemoAttachments(userCtx, &apiv1.SetMemoAttachmentsRequest{
+			Name: memo.Name,
+			Attachments: []*apiv1.Attachment{
+				{Name: attachment.Name},
+			},
+		})
+		require.NoError(t, err)
+	})
+
+	t.Run("SetMemoAttachments success by host user", func(t *testing.T) {
+		ts := NewTestService(t)
+		defer ts.Cleanup()
+
+		// Create regular user
+		regularUser, err := ts.CreateRegularUser(ctx, "user")
+		require.NoError(t, err)
+		regularUserCtx := ts.CreateUserContext(ctx, regularUser.ID)
+
+		// Create host user
+		hostUser, err := ts.CreateHostUser(ctx, "admin")
+		require.NoError(t, err)
+		hostCtx := ts.CreateUserContext(ctx, hostUser.ID)
+
+		// Create memo by regular user
+		memo, err := ts.Service.CreateMemo(regularUserCtx, &apiv1.CreateMemoRequest{
+			Memo: &apiv1.Memo{
+				Content:    "Test memo",
+				Visibility: apiv1.Visibility_PRIVATE,
+			},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, memo)
+
+		// Host user can modify attachments - should succeed
+		_, err = ts.Service.SetMemoAttachments(hostCtx, &apiv1.SetMemoAttachmentsRequest{
+			Name:        memo.Name,
+			Attachments: []*apiv1.Attachment{},
+		})
+		require.NoError(t, err)
+	})
+
+	t.Run("SetMemoAttachments permission denied for non-owner", func(t *testing.T) {
+		ts := NewTestService(t)
+		defer ts.Cleanup()
+
+		// Create user1
+		user1, err := ts.CreateRegularUser(ctx, "user1")
+		require.NoError(t, err)
+		user1Ctx := ts.CreateUserContext(ctx, user1.ID)
+
+		// Create user2
+		user2, err := ts.CreateRegularUser(ctx, "user2")
+		require.NoError(t, err)
+		user2Ctx := ts.CreateUserContext(ctx, user2.ID)
+
+		// Create memo by user1
+		memo, err := ts.Service.CreateMemo(user1Ctx, &apiv1.CreateMemoRequest{
+			Memo: &apiv1.Memo{
+				Content:    "Test memo",
+				Visibility: apiv1.Visibility_PRIVATE,
+			},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, memo)
+
+		// User2 tries to modify attachments - should fail
+		_, err = ts.Service.SetMemoAttachments(user2Ctx, &apiv1.SetMemoAttachmentsRequest{
+			Name:        memo.Name,
+			Attachments: []*apiv1.Attachment{},
+		})
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "permission denied")
+	})
+
+	t.Run("SetMemoAttachments unauthenticated", func(t *testing.T) {
+		ts := NewTestService(t)
+		defer ts.Cleanup()
+
+		// Create user
+		user, err := ts.CreateRegularUser(ctx, "user")
+		require.NoError(t, err)
+		userCtx := ts.CreateUserContext(ctx, user.ID)
+
+		// Create memo
+		memo, err := ts.Service.CreateMemo(userCtx, &apiv1.CreateMemoRequest{
+			Memo: &apiv1.Memo{
+				Content:    "Test memo",
+				Visibility: apiv1.Visibility_PRIVATE,
+			},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, memo)
+
+		// Unauthenticated user tries to modify attachments - should fail
+		_, err = ts.Service.SetMemoAttachments(ctx, &apiv1.SetMemoAttachmentsRequest{
+			Name:        memo.Name,
+			Attachments: []*apiv1.Attachment{},
+		})
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "not authenticated")
+	})
+
+	t.Run("SetMemoAttachments memo not found", func(t *testing.T) {
+		ts := NewTestService(t)
+		defer ts.Cleanup()
+
+		// Create user
+		user, err := ts.CreateRegularUser(ctx, "user")
+		require.NoError(t, err)
+		userCtx := ts.CreateUserContext(ctx, user.ID)
+
+		// Try to set attachments on non-existent memo - should fail
+		_, err = ts.Service.SetMemoAttachments(userCtx, &apiv1.SetMemoAttachmentsRequest{
+			Name:        "memos/nonexistent-uid-12345",
+			Attachments: []*apiv1.Attachment{},
+		})
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "not found")
+	})
+}

server/router/api/v1/test/memo_relation_service_test.go

@@ -0,0 +1,169 @@
+package test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	apiv1 "github.com/usememos/memos/proto/gen/api/v1"
+)
+
+func TestSetMemoRelations(t *testing.T) {
+	ctx := context.Background()
+
+	t.Run("SetMemoRelations success by memo owner", func(t *testing.T) {
+		ts := NewTestService(t)
+		defer ts.Cleanup()
+
+		// Create user
+		user, err := ts.CreateRegularUser(ctx, "user")
+		require.NoError(t, err)
+		userCtx := ts.CreateUserContext(ctx, user.ID)
+
+		// Create memo1
+		memo1, err := ts.Service.CreateMemo(userCtx, &apiv1.CreateMemoRequest{
+			Memo: &apiv1.Memo{
+				Content:    "Test memo 1",
+				Visibility: apiv1.Visibility_PRIVATE,
+			},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, memo1)
+
+		// Create memo2
+		memo2, err := ts.Service.CreateMemo(userCtx, &apiv1.CreateMemoRequest{
+			Memo: &apiv1.Memo{
+				Content:    "Test memo 2",
+				Visibility: apiv1.Visibility_PRIVATE,
+			},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, memo2)
+
+		// Set memo relations - should succeed
+		_, err = ts.Service.SetMemoRelations(userCtx, &apiv1.SetMemoRelationsRequest{
+			Name: memo1.Name,
+			Relations: []*apiv1.MemoRelation{
+				{
+					RelatedMemo: &apiv1.MemoRelation_Memo{
+						Name: memo2.Name,
+					},
+					Type: apiv1.MemoRelation_REFERENCE,
+				},
+			},
+		})
+		require.NoError(t, err)
+	})
+
+	t.Run("SetMemoRelations success by host user", func(t *testing.T) {
+		ts := NewTestService(t)
+		defer ts.Cleanup()
+
+		// Create regular user
+		regularUser, err := ts.CreateRegularUser(ctx, "user")
+		require.NoError(t, err)
+		regularUserCtx := ts.CreateUserContext(ctx, regularUser.ID)
+
+		// Create host user
+		hostUser, err := ts.CreateHostUser(ctx, "admin")
+		require.NoError(t, err)
+		hostCtx := ts.CreateUserContext(ctx, hostUser.ID)
+
+		// Create memo by regular user
+		memo, err := ts.Service.CreateMemo(regularUserCtx, &apiv1.CreateMemoRequest{
+			Memo: &apiv1.Memo{
+				Content:    "Test memo",
+				Visibility: apiv1.Visibility_PRIVATE,
+			},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, memo)
+
+		// Host user can modify relations - should succeed
+		_, err = ts.Service.SetMemoRelations(hostCtx, &apiv1.SetMemoRelationsRequest{
+			Name:      memo.Name,
+			Relations: []*apiv1.MemoRelation{},
+		})
+		require.NoError(t, err)
+	})
+
+	t.Run("SetMemoRelations permission denied for non-owner", func(t *testing.T) {
+		ts := NewTestService(t)
+		defer ts.Cleanup()
+
+		// Create user1
+		user1, err := ts.CreateRegularUser(ctx, "user1")
+		require.NoError(t, err)
+		user1Ctx := ts.CreateUserContext(ctx, user1.ID)
+
+		// Create user2
+		user2, err := ts.CreateRegularUser(ctx, "user2")
+		require.NoError(t, err)
+		user2Ctx := ts.CreateUserContext(ctx, user2.ID)
+
+		// Create memo by user1
+		memo, err := ts.Service.CreateMemo(user1Ctx, &apiv1.CreateMemoRequest{
+			Memo: &apiv1.Memo{
+				Content:    "Test memo",
+				Visibility: apiv1.Visibility_PRIVATE,
+			},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, memo)
+
+		// User2 tries to modify relations - should fail
+		_, err = ts.Service.SetMemoRelations(user2Ctx, &apiv1.SetMemoRelationsRequest{
+			Name:      memo.Name,
+			Relations: []*apiv1.MemoRelation{},
+		})
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "permission denied")
+	})
+
+	t.Run("SetMemoRelations unauthenticated", func(t *testing.T) {
+		ts := NewTestService(t)
+		defer ts.Cleanup()
+
+		// Create user
+		user, err := ts.CreateRegularUser(ctx, "user")
+		require.NoError(t, err)
+		userCtx := ts.CreateUserContext(ctx, user.ID)
+
+		// Create memo
+		memo, err := ts.Service.CreateMemo(userCtx, &apiv1.CreateMemoRequest{
+			Memo: &apiv1.Memo{
+				Content:    "Test memo",
+				Visibility: apiv1.Visibility_PRIVATE,
+			},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, memo)
+
+		// Unauthenticated user tries to modify relations - should fail
+		_, err = ts.Service.SetMemoRelations(ctx, &apiv1.SetMemoRelationsRequest{
+			Name:      memo.Name,
+			Relations: []*apiv1.MemoRelation{},
+		})
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "not authenticated")
+	})
+
+	t.Run("SetMemoRelations memo not found", func(t *testing.T) {
+		ts := NewTestService(t)
+		defer ts.Cleanup()
+
+		// Create user
+		user, err := ts.CreateRegularUser(ctx, "user")
+		require.NoError(t, err)
+		userCtx := ts.CreateUserContext(ctx, user.ID)
+
+		// Try to set relations on non-existent memo - should fail
+		_, err = ts.Service.SetMemoRelations(userCtx, &apiv1.SetMemoRelationsRequest{
+			Name:      "memos/nonexistent-uid-12345",
+			Relations: []*apiv1.MemoRelation{},
+		})
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "not found")
+	})
+}