From d4ff7fce8160fd4b782090be49034800b865d7c3 Mon Sep 17 00:00:00 2001
From: Ernest Hysa <59969602+ErnestHysa@users.noreply.github.com>
Date: Fri, 5 Jun 2026 14:12:33 +0100
Subject: [PATCH] fix(gallery): add auth check to /api/image/sharpen endpoint
 (#2761)

Every other image-processing endpoint (denoise, upscale, remove-bg,
enhance-face, inpaint, harmonize) calls require_privilege(request,
"can_generate_images"). The sharpen endpoint was missing this check,
allowing unauthenticated users to trigger CPU-intensive image processing.
---
 routes/gallery_routes.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/routes/gallery_routes.py b/routes/gallery_routes.py
index fdac5a412..eb4056508 100644
--- a/routes/gallery_routes.py
+++ b/routes/gallery_routes.py
@@ -1316,6 +1316,7 @@ def setup_gallery_routes() -> APIRouter:
     @router.post("/api/image/sharpen")
     async def sharpen_image(request: Request):
         """Apply unsharp-mask sharpening to an image."""
+        require_privilege(request, "can_generate_images")
         body = await request.json()
         image_b64 = body.get("image")
         amount = body.get("amount", 50) / 100.0