happyz
/
memos
mirror of https://github.com/usememos/memos.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,409 Commits 3 Branches 90 Tags 199 MiB
Commit Graph

17 Commits

Author SHA1 Message Date
boojack 25feef3aad
fix(api): tolerate missing related users in memo conversions (#5809) 2026-04-06 08:23:18 +08:00
memoclaw c53677fcba fix(api): improve SSE hub design and fix double-broadcast on comments 
- Fix duplicate SSE event on comment creation: CreateMemoComment now
  suppresses the redundant memo.created broadcast from the inner
  CreateMemo call, emitting only memo.comment.created
- Extract reaction event-building IIFEs into buildMemoReactionSSEEvent
  helper, removing duplicated inline DB-fetch logic
- Promote resolveSSEAudienceCreatorID from method to free function
  (resolveSSECreatorID) since it never used the receiver
- Add userID to SSE connect/disconnect log lines for traceability
- Change canReceive default from permissive (return true) to
  deny-with-warning for unknown visibility types
- Add comprehensive tests covering all new helpers, visibility edge
  cases, slow-client drop behavior, and the double-broadcast fix

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-29 07:33:40 +08:00
memoclaw acddef1f3d
fix(api): switch user resource names to usernames (#5779) 
Co-authored-by: memoclaw <265580040+memoclaw@users.noreply.github.com>
 2026-03-25 09:11:17 +08:00
milvasic ea0892a8b2
feat: add live refresh via Server-Sent Events (SSE) with visual indicator (#5638) 
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: milvasic <milvasic@users.noreply.github.com>
 2026-03-03 22:56:12 +08:00
Johnny c7b48b800f fix: add access control checks for attachments, comments, and reactions 
Security fixes for multiple authorization bypass vulnerabilities:

- GetAttachment: Add visibility check via checkAttachmentAccess helper
- UpdateAttachment: Add ownership check (creator or admin only)
- Fileserver: Require creator/admin auth for unlinked attachments
- ListMemoAttachments: Add memo visibility check
- CreateMemoComment: Add memo visibility check for target memo
- ListMemoReactions: Add memo visibility check
- UpsertMemoReaction: Add memo visibility check

All checks follow the existing pattern used in GetMemo for consistency.
 2026-01-31 23:02:30 +08:00
Johnny d7284fe867 refactor: nest reaction resource names under memos 2025-12-30 23:29:54 +08:00
Johnny 7932f6d0d0
refactor: user auth improvements (#5360) 2025-12-18 18:15:51 +08:00
boojack 21d31e3609
fix(security): implement security review recommendations (#5228) 
Co-authored-by: Claude <noreply@anthropic.com>
 2025-11-06 23:32:27 +08:00
Florian Dewald 769dcd0cf9
fix(security): add missing authorization checks to various services (#5217) 2025-11-06 19:42:44 +08:00
Johnny efe6013c36 fix: add user authentication checks 2025-10-08 20:30:05 +08:00
varsnotwars a9508b2546
chore: simplify convert reaction (#5001) 2025-08-14 00:06:23 +08:00
Steven 83febf9928 chore: clean resource definition 2025-06-23 21:08:25 +08:00
Steven 9972a77d9e refactor: memo service 2025-06-18 19:58:38 +08:00
johnnyjoy f1308ddd27 refactor: update part of resource identifier 2025-01-19 23:03:22 +08:00
Steven e527b6a878 feat: move reaction type to setting 2024-10-10 21:06:32 +08:00
Steven 1ccfa81cf3 chore: tweak common function 2024-05-26 11:02:23 +08:00
Steven 20dd3e17f7 chore: rename router package 2024-05-01 10:28:32 +08:00
Renamed from server/route/api/v1/reaction_service.go (Browse further)