8 Commits

Author	SHA1	Message	Date
Steven	704503e556	fix(store): allow memo/attachment deletion when local file is missing ... Fixes two bugs reported in #5603: 1. store/attachment.go: ignore os.ErrNotExist when removing a local attachment file so that a missing file on disk (broken state from failed uploads) no longer blocks deletion of the DB record, allowing memos referencing corrupt attachments to be deleted normally. 2. memo_attachment_service.go: add nil guard on GetAttachment result before dereferencing it in SetMemoAttachments, preventing a nil pointer panic when an attachment UID no longer exists in the DB.	2026-02-23 10:26:40 +08:00
Johnny	c7b48b800f	fix: add access control checks for attachments, comments, and reactions ... Security fixes for multiple authorization bypass vulnerabilities: - GetAttachment: Add visibility check via checkAttachmentAccess helper - UpdateAttachment: Add ownership check (creator or admin only) - Fileserver: Require creator/admin auth for unlinked attachments - ListMemoAttachments: Add memo visibility check - CreateMemoComment: Add memo visibility check for target memo - ListMemoReactions: Add memo visibility check - UpsertMemoReaction: Add memo visibility check All checks follow the existing pattern used in GetMemo for consistency.	2026-01-31 23:02:30 +08:00
Johnny	7932f6d0d0	refactor: user auth improvements (#5360)	2025-12-18 18:15:51 +08:00
boojack	21d31e3609	fix(security): implement security review recommendations (#5228) ... Co-authored-by: Claude <noreply@anthropic.com>	2025-11-06 23:32:27 +08:00
Florian Dewald	769dcd0cf9	fix(security): add missing authorization checks to various services (#5217)	2025-11-06 19:42:44 +08:00
varsnotwars	4eb5b67baf	feat: attachments by id (#5008)	2025-08-15 22:02:29 +08:00
Steven	a4920d464b	refactor: attachment service part2	2025-06-18 00:09:19 +08:00
Steven	bb5809cae4	refactor: attachment service	2025-06-17 22:15:19 +08:00

Renamed from server/router/api/v1/memo_resource_service.go (Browse further)