fix(gallery): remove image file only after the delete commit succeeds (#2196)

delete_gallery_image() deleted the on-disk file before setting is_active=False and committing. If that commit failed and rolled back, the record stayed active but its file was already gone — a broken, unviewable image (data loss). Soft-delete and commit first, then remove the file best-effort, so a missing or locked file can no longer 500 a delete that already succeeded logically. Adds tests/test_gallery_delete_file_ordering.py covering the commit-failure (file kept) and success (file removed) paths.
2026-06-16 17:55:26 -04:00 · 2026-06-15 12:00:32 +03:00
parent d8e7cc7053
commit f28703adf6
2 changed files with 97 additions and 6 deletions
@@ -931,15 +931,23 @@ def setup_gallery_routes() -> APIRouter:
                raise HTTPException(404, "Image not found")

            img_filename = img.filename
-            # Remove the file from disk
-            img_path = _gallery_image_path(img_filename)
-            if img_path.exists():
-                img_path.unlink()
-
-            # Soft-delete the record
+            # Soft-delete the record first; the DB is the source of truth.
            img.is_active = False
            db.commit()

+            # Only after the soft-delete commit succeeds do we remove the file.
+            # If the file were deleted first and the commit then failed/rolled
+            # back, the still-active record would point at a missing file.
+            # Best-effort so a missing or locked file can't 500 a delete that
+            # already succeeded logically. Uses the path-confined resolver so a
+            # malformed stored filename can't escape generated_images.
+            try:
+                img_path = _gallery_image_path(img_filename)
+                if img_path.exists():
+                    img_path.unlink()
+            except Exception as e:
+                logger.warning(f"Could not remove gallery image file for {img_filename}: {e}")
+
            # Strip stale chat-history references so the image bubble
            # (and its prompt caption) doesn't come back after a server
            # reboot replays the session. We remove the matching tool