From 613bbb0dba1ad9b11c8562507fefde5ca8967e12 Mon Sep 17 00:00:00 2001
From: Kenny Van de Maele <kenny@kvandemaele.be>
Date: Sun, 7 Jun 2026 17:19:24 +0200
Subject: [PATCH] fix: port main-only fixes to dev (#2761 sharpen auth, #2762
 doc version 404) (#3303)

* fix(gallery): add auth check to /api/image/sharpen endpoint (#2761)

Every other image-processing endpoint (denoise, upscale, remove-bg,
enhance-face, inpaint, harmonize) calls require_privilege(request,
"can_generate_images"). The sharpen endpoint was missing this check,
allowing unauthenticated users to trigger CPU-intensive image processing.

* fix(document): add 404 guard to version list/get endpoints (#2762)

list_versions and get_version used a soft 'if doc:' guard that skipped
ownership verification when the Document row was missing (e.g. after
hard delete). Orphaned DocumentVersion rows would be returned to any
caller without auth. Now raises 404 when the parent document is gone,
matching the pattern already used in restore_version.

---------

Co-authored-by: Ernest Hysa <59969602+ErnestHysa@users.noreply.github.com>
---
 routes/document_routes.py | 10 ++++++----
 routes/gallery_routes.py  |  1 +
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/routes/document_routes.py b/routes/document_routes.py
index 981787d1b..20df372a1 100644
--- a/routes/document_routes.py
+++ b/routes/document_routes.py
@@ -664,8 +664,9 @@ def setup_document_routes(session_manager, upload_handler=None) -> APIRouter:
         try:
             # Verify ownership before listing versions
             doc = db.query(Document).filter(Document.id == doc_id).first()
-            if doc:
-                _verify_doc_owner(db, doc, user)
+            if not doc:
+                raise HTTPException(404, "Document not found")
+            _verify_doc_owner(db, doc, user)
             versions = db.query(DocumentVersion).filter(
                 DocumentVersion.document_id == doc_id
             ).order_by(DocumentVersion.version_number.desc()).all()
@@ -688,8 +689,9 @@ def setup_document_routes(session_manager, upload_handler=None) -> APIRouter:
         try:
             # Verify ownership
             doc = db.query(Document).filter(Document.id == doc_id).first()
-            if doc:
-                _verify_doc_owner(db, doc, user)
+            if not doc:
+                raise HTTPException(404, "Document not found")
+            _verify_doc_owner(db, doc, user)
             ver = db.query(DocumentVersion).filter(
                 DocumentVersion.document_id == doc_id,
                 DocumentVersion.version_number == num,
diff --git a/routes/gallery_routes.py b/routes/gallery_routes.py
index 8bc5438c5..0e3c68fa0 100644
--- a/routes/gallery_routes.py
+++ b/routes/gallery_routes.py
@@ -1385,6 +1385,7 @@ def setup_gallery_routes() -> APIRouter:
     @router.post("/api/image/sharpen")
     async def sharpen_image(request: Request):
         """Apply unsharp-mask sharpening to an image."""
+        require_privilege(request, "can_generate_images")
         body = await request.json()
         image_b64 = body.get("image")
         amount = body.get("amount", 50) / 100.0