fabi/Mangalord
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bugfix: gate manga PATCH and cover endpoints on uploader (0.34.1)

Browse Source 
PATCH /mangas/:id, PUT /mangas/:id/cover and DELETE /mangas/:id/cover
took the current user but never compared it against the row's
uploaded_by. Any signed-in user could overwrite or clear any manga's
metadata and cover. Add require_can_edit gate: non-NULL uploaded_by
must match the caller; legacy NULL rows stay open until an admin role
lands (per migration 0011 historical-data note).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
2026-05-28 07:43:55 +02:00
parent e7662d18d6
commit 3495190854
7 changed files with 172 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/Cargo.lock generated
View File

@@ -1470,7 +1470,7 @@ checksum = "c41e0c4fef86961ac6d6f8a82609f55f31b05e4fce149ac5710e439df7619ba4"
[[package]]
name = "mangalord"
version = "0.34.0"
version = "0.34.1"
dependencies = [
"anyhow",
"argon2",