bugfix: gate manga PATCH and cover endpoints on uploader (0.34.1)
PATCH /mangas/:id, PUT /mangas/:id/cover and DELETE /mangas/:id/cover took the current user but never compared it against the row's uploaded_by. Any signed-in user could overwrite or clear any manga's metadata and cover. Add require_can_edit gate: non-NULL uploaded_by must match the caller; legacy NULL rows stay open until an admin role lands (per migration 0011 historical-data note). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "mangalord"
|
||||
version = "0.34.0"
|
||||
version = "0.34.1"
|
||||
edition = "2021"
|
||||
default-run = "mangalord"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user