fix

backend/supabase/migrations/20250416133920_agentpress_schema.sql

@@ -118,12 +118,14 @@ CREATE POLICY project_delete_policy ON projects
 CREATE POLICY thread_select_policy ON threads
     FOR SELECT
     USING (
-        is_public = TRUE OR
         basejump.has_role_on_account(account_id) = true OR 
         EXISTS (
             SELECT 1 FROM projects
             WHERE projects.project_id = threads.project_id
-            AND basejump.has_role_on_account(projects.account_id) = true
+            AND (
+                projects.is_public = TRUE OR
+                basejump.has_role_on_account(projects.account_id) = true
+            )
         )
     );
 
@@ -169,7 +171,7 @@ CREATE POLICY agent_run_select_policy ON agent_runs
             LEFT JOIN projects ON threads.project_id = projects.project_id
             WHERE threads.thread_id = agent_runs.thread_id
             AND (
-                threads.is_public = TRUE OR
+                projects.is_public = TRUE OR
                 basejump.has_role_on_account(threads.account_id) = true OR 
                 basejump.has_role_on_account(projects.account_id) = true
             )
@@ -227,7 +229,7 @@ CREATE POLICY message_select_policy ON messages
             LEFT JOIN projects ON threads.project_id = projects.project_id
             WHERE threads.thread_id = messages.thread_id
             AND (
-                threads.is_public = TRUE OR
+                projects.is_public = TRUE OR
                 basejump.has_role_on_account(threads.account_id) = true OR 
                 basejump.has_role_on_account(projects.account_id) = true
             )
@@ -295,18 +297,19 @@ DECLARE
     current_role TEXT;
     latest_summary_id UUID;
     latest_summary_time TIMESTAMP WITH TIME ZONE;
-    is_thread_public BOOLEAN;
+    is_project_public BOOLEAN;
 BEGIN
     -- Get current role
     SELECT current_user INTO current_role;
     
-    -- Check if thread is public
-    SELECT is_public INTO is_thread_public
-    FROM threads
-    WHERE thread_id = p_thread_id;
+    -- Check if associated project is public
+    SELECT p.is_public INTO is_project_public
+    FROM threads t
+    LEFT JOIN projects p ON t.project_id = p.project_id
+    WHERE t.thread_id = p_thread_id;
     
-    -- Skip access check for service_role or public threads
-    IF current_role = 'authenticated' AND NOT is_thread_public THEN
+    -- Skip access check for service_role or public projects
+    IF current_role = 'authenticated' AND NOT is_project_public THEN
         -- Check if thread exists and user has access
         SELECT EXISTS (
             SELECT 1 FROM threads t

backend/utils/auth_utils.py

@@ -105,7 +105,6 @@ async def get_user_id_from_stream_auth(
         detail="No valid authentication credentials found",
         headers={"WWW-Authenticate": "Bearer"}
     )
-
 async def verify_thread_access(client, thread_id: str, user_id: str):
     """
     Verify that a user has access to a specific thread based on account membership.
@@ -122,16 +121,20 @@ async def verify_thread_access(client, thread_id: str, user_id: str):
         HTTPException: If the user doesn't have access to the thread
     """
     # Query the thread to get account information
-    thread_result = await client.table('threads').select('*').eq('thread_id', thread_id).execute()
+    thread_result = await client.table('threads').select('*,project_id').eq('thread_id', thread_id).execute()
 
     if not thread_result.data or len(thread_result.data) == 0:
         raise HTTPException(status_code=404, detail="Thread not found")
     
     thread_data = thread_result.data[0]
     
-    # Check if thread is public
-    if thread_data.get('is_public'):
-        return True
+    # Check if project is public
+    project_id = thread_data.get('project_id')
+    if project_id:
+        project_result = await client.table('projects').select('is_public').eq('project_id', project_id).execute()
+        if project_result.data and len(project_result.data) > 0:
+            if project_result.data[0].get('is_public'):
+                return True
         
     account_id = thread_data.get('account_id')
     # When using service role, we need to manually check account membership instead of using current_user_account_role

frontend/src/app/share/[threadId]/page.tsx

@@ -608,9 +608,9 @@ export default function ThreadPage({ params }: { params: Promise<ThreadParams> }
         if (!isMounted) return;
         
         // Make sure the thread is public
-        if (!(threadData as any).is_public) {
-          throw new Error('This thread is not available for public viewing.');
-        }
+        // if (!(threadData as any).is_public) {
+        //   throw new Error('This thread is not available for public viewing.');
+        // }
         
         if (threadData?.project_id) {
           try {