openclaw · vyctorbrzezowski · May 16, 2026 · May 16, 2026 · May 18, 2026 · May 18, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### Fixes
 
 - API: fix `GET /api/v1/skills` pagination so `cursor` advances to the next page instead of repeating the first page for supported non-trending sorts (#2275) (thanks @vyctorbrzezowski, @enerj).
+- Web: block collaborative membership on personal publishers while allowing the linked owner to clean up stale extra membership rows (thanks @vyctorbrzezowski).
 
 ## 0.17.0 - 2026-05-19
 

@@ -127,7 +127,10 @@ export async function assertCanManageOwnedResource(
   }
 
   const publisher = await ctx.db.get(params.ownerPublisherId);
-  if (publisher?.kind === "user" && publisher.linkedUserId === params.actor._id) return;
+  if (publisher?.kind === "user") {
+    if (publisher.linkedUserId === params.actor._id) return;
+    throw new ConvexError("Forbidden");
+  }
 
   const membership = await getPublisherMembership(ctx, params.ownerPublisherId, params.actor._id);
   if (
@@ -475,6 +478,26 @@ export async function getPublisherMembership(
   }
 }
 
+export async function canAccessPublisherOwnerScope(
+  ctx: DbCtx,
+  params: {
+    publisher: Doc<"publishers"> | null | undefined;
+    userId: Id<"users">;
+    allowedPublisherRoles?: PublisherRole[];
+  },
+) {
+  const publisher = params.publisher;
+  if (!publisher || !isPublisherActive(publisher)) return false;
+  if (publisher.kind === "user") {
+    return publisher.linkedUserId === params.userId;
+  }
+  const membership = await getPublisherMembership(ctx, publisher._id, params.userId);
+  return Boolean(
+    membership &&
+    isPublisherRoleAllowed(membership.role, params.allowedPublisherRoles ?? ["publisher"]),
+  );
+}
+
 export async function requirePublisherRole(
   ctx: DbCtx,
   params: {
@@ -484,7 +507,14 @@ export async function requirePublisherRole(
   },
 ) {
   const publisher = await ctx.db.get(params.publisherId);
-  if (!isPublisherActive(publisher)) throw new ConvexError("Publisher not found");
+  if (!publisher || !isPublisherActive(publisher)) throw new ConvexError("Publisher not found");
+  if (publisher.kind === "user") {
+    if (publisher.linkedUserId !== params.userId) {
+      throw new ConvexError("Forbidden");
+    }
+    const membership = await getPublisherMembership(ctx, params.publisherId, params.userId);
+    return { publisher, membership };
+  }
   const membership = await getPublisherMembership(ctx, params.publisherId, params.userId);
   if (!membership || !isPublisherRoleAllowed(membership.role, params.allowed)) {
     throw new ConvexError("Forbidden");
@@ -514,6 +544,10 @@ export async function resolvePublisherForActor(
   if (!publisher || !isPublisherActive(publisher)) {
     throw new ConvexError(`Publisher "@${requestedHandle}" not found`);
   }
+  if (publisher.kind === "user") {
+    if (publisher.linkedUserId === params.actor._id) return publisher;
+    throw new ConvexError(`You do not have publish access for "@${requestedHandle}"`);
+  }
   const membership = await getPublisherMembership(ctx, publisher._id, params.actor._id);
   if (!membership || !isPublisherRoleAllowed(membership.role, params.allowed)) {
     throw new ConvexError(`You do not have publish access for "@${requestedHandle}"`);