fix: port main-only fixes to dev (#2761 sharpen auth, #2762 doc version 404) (#3303)

* fix(gallery): add auth check to /api/image/sharpen endpoint (#2761) Every other image-processing endpoint (denoise, upscale, remove-bg, enhance-face, inpaint, harmonize) calls require_privilege(request, "can_generate_images"). The sharpen endpoint was missing this check, allowing unauthenticated users to trigger CPU-intensive image processing. * fix(document): add 404 guard to version list/get endpoints (#2762) list_versions and get_version used a soft 'if doc:' guard that skipped ownership verification when the Document row was missing (e.g. after hard delete). Orphaned DocumentVersion rows would be returned to any caller without auth. Now raises 404 when the parent document is gone, matching the pattern already used in restore_version. --------- Co-authored-by: Ernest Hysa <59969602+ErnestHysa@users.noreply.github.com>
2026-06-15 17:25:26 -04:00 · 2026-06-07 17:19:24 +02:00
parent 8f5b7210cc
commit 613bbb0dba
2 changed files with 7 additions and 4 deletions
@@ -664,8 +664,9 @@ def setup_document_routes(session_manager, upload_handler=None) -> APIRouter:
        try:
            # Verify ownership before listing versions
            doc = db.query(Document).filter(Document.id == doc_id).first()
-            if doc:
-                _verify_doc_owner(db, doc, user)
+            if not doc:
+                raise HTTPException(404, "Document not found")
+            _verify_doc_owner(db, doc, user)
            versions = db.query(DocumentVersion).filter(
                DocumentVersion.document_id == doc_id
            ).order_by(DocumentVersion.version_number.desc()).all()
@@ -688,8 +689,9 @@ def setup_document_routes(session_manager, upload_handler=None) -> APIRouter:
        try:
            # Verify ownership
            doc = db.query(Document).filter(Document.id == doc_id).first()
-            if doc:
-                _verify_doc_owner(db, doc, user)
+            if not doc:
+                raise HTTPException(404, "Document not found")
+            _verify_doc_owner(db, doc, user)
            ver = db.query(DocumentVersion).filter(
                DocumentVersion.document_id == doc_id,
                DocumentVersion.version_number == num,
@@ -1385,6 +1385,7 @@ def setup_gallery_routes() -> APIRouter:
    @router.post("/api/image/sharpen")
    async def sharpen_image(request: Request):
        """Apply unsharp-mask sharpening to an image."""
+        require_privilege(request, "can_generate_images")
        body = await request.json()
        image_b64 = body.get("image")
        amount = body.get("amount", 50) / 100.0