From 562671e498fa7fc6178ea88c9eb3548352e8c648 Mon Sep 17 00:00:00 2001
From: Neal Shah <30693865+ProgrammerIn-wonderland@users.noreply.github.com>
Date: Tue, 17 Feb 2026 01:29:54 -0500
Subject: [PATCH] add extra permission check for granted apps (#2503)

---
 extensions/app-telemetry/app-user-count.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/extensions/app-telemetry/app-user-count.ts b/extensions/app-telemetry/app-user-count.ts
index c446255b0..c3a6fe97d 100644
--- a/extensions/app-telemetry/app-user-count.ts
+++ b/extensions/app-telemetry/app-user-count.ts
@@ -1,7 +1,8 @@
 const { Eq } = extension.import('query');
 const { db } = extension.import('data');
-const { APIError } = extension.import('core');
+const { APIError, Context } = extension.import('core');
 const app_es = extension.import('service:es:app') as any;
+const svc_permission = extension.import('service:permission') as any;
 
 const DEFAULT_LIMIT = 100;
 const MAX_LIMIT = 1000;
@@ -98,6 +99,9 @@ extension.on('create.drivers', event => {
             if ( ! result ) {
                 throw APIError.create('permission_denied');
             }
+            if ( ! (await svc_permission.check(Context.get('actor'), `apps-of-user:${result.values_.owner.uuid}:write`, { no_cache: true })) ) {
+                throw APIError.create('permission_denied');
+            }
 
             // Fetch and return users
             const users: Array<{ username: string, uuid: string }> = await db.read(`SELECT user.username, user.uuid FROM user_to_app_permissions