odysseus

Salastil/odysseus

Fork 0

mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-20 03:35:35 -04:00

Commit Graph

Author	SHA1	Message	Date
nopoz	160267417e	fix(personal): scope RAG file delete to the caller's own upload dir (#4602 ) The DELETE /api/personal/file disk-delete containment check used the shared PERSONAL_UPLOADS_DIR root, so one admin could delete another user's personal upload by passing its path (uploads are partitioned per owner under <root>/<owner>/). Confine the check to the caller's own per-owner subdir via _personal_upload_dir_for_owner(owner). RAG removal and listing exclusion are unchanged (they still serve non-upload indexed sources). Adds a regression test for the cross-owner case.	2026-06-20 00:50:15 +02:00
RaresKeY	85a773ea02	fix(personal): resolve upload delete path (#4291 )	2026-06-15 16:38:37 +02:00

Author

SHA1

Message

Date

nopoz

160267417e

fix(personal): scope RAG file delete to the caller's own upload dir (#4602 )

The DELETE /api/personal/file disk-delete containment check used the
shared PERSONAL_UPLOADS_DIR root, so one admin could delete another
user's personal upload by passing its path (uploads are partitioned per
owner under <root>/<owner>/). Confine the check to the caller's own
per-owner subdir via _personal_upload_dir_for_owner(owner). RAG removal
and listing exclusion are unchanged (they still serve non-upload indexed
sources). Adds a regression test for the cross-owner case.

2026-06-20 00:50:15 +02:00

RaresKeY

85a773ea02

fix(personal): resolve upload delete path (#4291 )

2026-06-15 16:38:37 +02:00

2 Commits