ScreenTinker 0b9aa56e75 Phase 2.2m: schedules.js scoped to workspace_id; schedule.workspace_id inherited from target (device/group); fixes 6 pre-existing cross-tenant leaks (POST content/widget/layout/playlist accepted with no check, PUT verifyOwnership rewrite across all 6 polymorphic targets)		2026-05-11 23:03:54 -05:00
..
config	fix: log real client IPs through Cloudflare instead of CF edge	2026-05-07 15:26:37 -05:00
db	Phase 2.2c: content_folders gets workspace_id (schema + backfill); folders.js scoped; content.js folder-move strict same-workspace	2026-05-11 21:04:03 -05:00
lib	Phase 2.1: tenancy middleware, permission helpers, JWT workspace context, frontend + backend role-rename compat	2026-05-11 20:02:00 -05:00
middleware	Phase 2.1: tenancy middleware, permission helpers, JWT workspace context, frontend + backend role-rename compat	2026-05-11 20:02:00 -05:00
player	Video walls: free-form canvas editor, leader-driven sync, group dissolve, progress bars	2026-04-29 23:11:16 -05:00
routes	Phase 2.2m: schedules.js scoped to workspace_id; schedule.workspace_id inherited from target (device/group); fixes 6 pre-existing cross-tenant leaks (POST content/widget/layout/playlist accepted with no check, PUT verifyOwnership rewrite across all 6 polymorphic targets)	2026-05-11 23:03:54 -05:00
services	fix: log real client IPs through Cloudflare instead of CF edge	2026-05-07 15:26:37 -05:00
ws	Video walls: free-form canvas editor, leader-driven sync, group dissolve, progress bars	2026-04-29 23:11:16 -05:00
config.js	Add DISABLE_REGISTRATION env var to block public sign-ups	2026-04-22 19:35:32 -05:00
package-lock.json	Security: fix IDORs, XSS, rate limits, SSRF validation	2026-04-28 14:37:18 -05:00
package.json	Security: fix IDORs, XSS, rate limits, SSRF validation	2026-04-28 14:37:18 -05:00
server.js	Phase 2.2d: widgets.js scoped to workspace_id; import + widget-reference defense bundled	2026-05-11 21:13:51 -05:00