From e532cde2b63e1708eeda364d984a0d8507b9f655 Mon Sep 17 00:00:00 2001
From: Scott McKendry <me@scottmckendry.tech>
Date: Mon, 25 May 2026 02:23:48 +1200
Subject: [PATCH] fix: potential nil pointer dereferences (#893)

---
 internal/middleware/context_middleware.go | 4 ++++
 internal/service/access_controls_rules.go | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/internal/middleware/context_middleware.go b/internal/middleware/context_middleware.go
index f0863c9c..a75582a7 100644
--- a/internal/middleware/context_middleware.go
+++ b/internal/middleware/context_middleware.go
@@ -251,6 +251,10 @@ func (m *ContextMiddleware) basicAuth(username string, password string) (*model.
 	case model.UserLocal:
 		user := m.auth.GetLocalUser(username)
 
+		if user == nil {
+			return nil, nil, fmt.Errorf("user not found locally: %s", username)
+		}
+
 		if user.TOTPSecret != "" {
 			return nil, nil, fmt.Errorf("user with totp not allowed to login via basic auth: %s", username)
 		}
diff --git a/internal/service/access_controls_rules.go b/internal/service/access_controls_rules.go
index 3e357e60..3fc6d51b 100644
--- a/internal/service/access_controls_rules.go
+++ b/internal/service/access_controls_rules.go
@@ -114,7 +114,7 @@ type LDAPGroupRule struct {
 }
 
 func (rule *LDAPGroupRule) Evaluate(ctx *ACLContext) Effect {
-	if ctx == nil || ctx.UserContext == nil {
+	if ctx == nil || ctx.UserContext == nil || ctx.ACLs == nil {
 		return EffectAbstain
 	}