k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-19 13:21:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
16277a3811a00c2983f7486fee83c112986cb179
TREK/server
T
History
Maurice 16277a3811 security: fix missing trip access checks on Immich routes (GHSA-pcr3-6647-jh72) 
security: require auth for uploaded photos (GHSA-wxx3-84fc-mrx2)

GHSA-pcr3-6647-jh72 (HIGH):
- Add canAccessTrip check to all /trips/:tripId/photos and
  /trips/:tripId/album-links endpoints
- Prevents authenticated users from accessing other trips' photos

GHSA-wxx3-84fc-mrx2 (LOW):
- /uploads/photos now requires JWT auth token or valid share token
- Covers and avatars remain public (needed for login/share pages)
- Files were already blocked behind auth
2026-04-01 15:46:08 +02:00
..
public
Merge branch 'perf-test' of https://github.com/jubnl/TREK into dev
2026-03-31 23:10:02 +02:00
src
security: fix missing trip access checks on Immich routes (GHSA-pcr3-6647-jh72)
2026-04-01 15:46:08 +02:00
.env.example
docs: document all env vars and remove SMTP/webhook from docker config
2026-03-31 22:24:07 +03:00
package-lock.json
Merge branch 'pr-125'
2026-03-30 23:10:34 +02:00
package.json
Merge branch 'pr-125'
2026-03-30 23:10:34 +02:00
reset-admin.js
Stabilize core: better-sqlite3, versioned migrations, graceful shutdown
2026-03-22 17:52:24 +01:00
tsconfig.json
some fixes
2026-03-30 06:59:24 +02:00