ulysses/routes
Kenny Van de Maele 613bbb0dba
fix: port main-only fixes to dev (#2761 sharpen auth, #2762 doc version 404) (#3303)
* fix(gallery): add auth check to /api/image/sharpen endpoint (#2761)

Every other image-processing endpoint (denoise, upscale, remove-bg,
enhance-face, inpaint, harmonize) calls require_privilege(request,
"can_generate_images"). The sharpen endpoint was missing this check,
allowing unauthenticated users to trigger CPU-intensive image processing.

* fix(document): add 404 guard to version list/get endpoints (#2762)

list_versions and get_version used a soft 'if doc:' guard that skipped
ownership verification when the Document row was missing (e.g. after
hard delete). Orphaned DocumentVersion rows would be returned to any
caller without auth. Now raises 404 when the parent document is gone,
matching the pattern already used in restore_version.

---------

Co-authored-by: Ernest Hysa <59969602+ErnestHysa@users.noreply.github.com>
2026-06-07 17:19:24 +02:00
..
__init__.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
admin_wipe_routes.py Admin: wipe gallery albums with images 2026-06-02 20:35:57 +09:00
api_token_routes.py Codex Agent integration: HTTP surface + plugin bundle + Settings UI 2026-06-03 22:49:09 +09:00
assistant_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
auth_routes.py fix: avoid double bcrypt on login by using create_session_trusted (#3236) 2026-06-07 15:10:53 +02:00
backup_routes.py fix: restore backup import after skills migration (#2980) 2026-06-06 21:46:32 +01:00
calendar_routes.py Scope model helper endpoint resolution (#3007) 2026-06-07 12:40:23 +02:00
chat_helpers.py Scope auxiliary LLM endpoints by owner (#2996) 2026-06-07 14:47:44 +02:00
chat_routes.py fix(agent): enforce guide-only tool policy (#3088) 2026-06-06 18:48:24 -06:00
cleanup_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
codex_routes.py fix(auth): gate api tokens from user routes (#2992) 2026-06-07 12:55:01 +02:00
compare_routes.py fix(compare): stop blind mode leaking model identities via session names (#1318) 2026-06-04 04:39:01 +01:00
contacts_routes.py Harden DAV outbound URL validation (#2819) 2026-06-05 13:22:21 +02:00
cookbook_helpers.py Fix/windows llama cpp serve and test upstream (#2669) 2026-06-05 14:53:33 +02:00
cookbook_routes.py Fix/windows llama cpp serve and test upstream (#2669) 2026-06-05 14:53:33 +02:00
copilot_routes.py feat(provider): add GitHub Copilot provider with device-flow auth (#1480) 2026-06-04 21:13:14 +02:00
diagnostics_routes.py Fix email-thread HTML injection, attachment path traversal, and missing authz (#475) 2026-06-01 22:20:17 +09:00
document_helpers.py fix: _resolve_user_upload_path crashes on a non-dict resolve_upload result (#1715) 2026-06-03 13:34:33 +09:00
document_routes.py fix: port main-only fixes to dev (#2761 sharpen auth, #2762 doc version 404) (#3303) 2026-06-07 17:19:24 +02:00
editor_draft_routes.py Ignore invalid editor draft payloads (#1533) 2026-06-03 14:07:03 +09:00
email_helpers.py fix(email): decode headers without injected spaces (#2433) 2026-06-07 16:56:20 +02:00
email_pollers.py fix: quote IMAP mailbox arguments (#2170) 2026-06-05 16:00:20 +02:00
email_routes.py fix(email): scope AI caches by owner (#2695) 2026-06-05 02:21:50 +02:00
embedding_routes.py fix: split Chroma embedding lanes (#3046) 2026-06-06 03:17:19 -06:00
emoji_routes.py Harden emoji SVG proxy responses (#2842) 2026-06-05 10:31:58 +02:00
font_routes.py Keep compact font family names together (#1263) 2026-06-03 14:24:30 +09:00
gallery_helpers.py fix: gallery records raw instead of display dimensions for EXIF-rotated photos (#1667) 2026-06-03 14:23:04 +09:00
gallery_routes.py fix: port main-only fixes to dev (#2761 sharpen auth, #2762 doc version 404) (#3303) 2026-06-07 17:19:24 +02:00
history_routes.py Scope model helper endpoint resolution (#3007) 2026-06-07 12:40:23 +02:00
hwfit_routes.py Merge remote-tracking branch 'origin/main' into visual-pr-playground 2026-06-03 16:49:10 +09:00
mcp_routes.py feat(mcp): add Streamable HTTP transport with OAuth 2.0 (#1033) 2026-06-05 02:40:52 +02:00
memory_routes.py Scope vision model resolution by owner (#3009) 2026-06-07 12:39:02 +02:00
model_routes.py feat: add OpenCode Zen and Go as provider options (#26) 2026-06-07 16:43:00 +02:00
note_routes.py Harden note reminder dispatch ownership (#2999) 2026-06-07 12:52:27 +02:00
personal_routes.py fix: TOCTOU race in personal file delete + IndexError on whitespace cmd (#2228) 2026-06-07 16:44:26 +02:00
prefs_routes.py Persist user prefs atomically (#1840) 2026-06-04 03:55:22 +01:00
preset_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
research_routes.py Scope auxiliary LLM endpoints by owner (#2996) 2026-06-07 14:47:44 +02:00
search_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
session_routes.py Fix logical bugs in event bus and bulk session deletion (#3139) 2026-06-07 17:08:50 +02:00
shell_routes.py Fix/windows llama cpp serve and test upstream (#2669) 2026-06-05 14:53:33 +02:00
signature_routes.py Constrain signature uploads to PNG data (#2844) 2026-06-05 13:17:43 +02:00
skills_routes.py feat(skills): import SKILL.md bundles from public GitHub URLs (#2576) 2026-06-05 19:48:23 +02:00
stt_routes.py fix(uploads): bound direct upload reads 2026-06-04 00:32:50 +01:00
task_routes.py Scope auxiliary LLM endpoints by owner (#2996) 2026-06-07 14:47:44 +02:00
tts_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
upload_routes.py Scope vision model resolution by owner (#3009) 2026-06-07 12:39:02 +02:00
vault_routes.py Keep Bitwarden unlock password off argv (#1311) 2026-06-03 02:13:51 +09:00
webhook_routes.py feat: add OpenCode Zen and Go as provider options (#26) 2026-06-07 16:43:00 +02:00
workspace_routes.py feat: Add workspace: confine agent tools to a folder (#1103) 2026-06-05 00:06:37 +02:00