fix: scope chat active-document lookup to the session owner (#569)

tests/test_security_regressions.py

@@ -929,3 +929,20 @@ def test_mcp_oauth_page_escapes_reflected_values():
     body = text.split("def _oauth_authorize_page(", 1)[1].split("return f", 1)[0]
     for var in ("auth_url", "server_id", "host"):
         assert f"{var} = html.escape({var}" in body, var
+
+
+def test_chat_active_document_lookup_is_owner_scoped():
+    """The explicit `active_doc_id` path in /api/chat_stream must scope the
+    document lookup to the caller. Resolving by id alone let any user inject
+    another user's document into their own chat context (the session and
+    in-memory fallbacks were already owner/session-bound; this branch wasn't)."""
+    import re
+
+    src = Path(__file__).resolve().parents[1] / "routes" / "chat_routes.py"
+    text = src.read_text()
+    # The frontend-supplied id is resolved through the shared owner filter.
+    assert "_owner_session_filter(_doc_q, ctx.user)" in text
+    # And never by id alone (the previous IDOR shape, whitespace-insensitive).
+    flat = re.sub(r"\s+", " ", text)
+    assert "filter( DBDocument.id == active_doc_id, ).first()" not in flat
+    assert "filter(DBDocument.id == active_doc_id).first()" not in flat