Archive/screentinker
1
0
Fork 0
mirror of https://github.com/screentinker/screentinker.git synced 2026-05-15 07:32:23 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity
screentinker/server
History
ScreenTinker 470197d203 Fix 8 security findings from Phase 3 audit + device-detail banner refresh 
Security fixes:
- Critical: Add ownership checks to assignments PUT/:id and DELETE/:id (IDOR)
- Critical: Add ownership checks to assignments copy-to endpoint for both devices
- High: Validate device ownership when adding to device groups
- High: UUID-validate content ID before LIKE query + scope to owner's playlists
- Low: Handle FK violations gracefully in playlist discard (deleted content/widgets)
- Low: Escape mime_type with esc() in playlist item display (XSS)

Bug fix:
- Device-detail mutation handlers now reload full page to show draft banner

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-13 21:36:16 -05:00
..
db Phase 3: playlist publish/draft state with auto-publish from device detail 2026-04-13 20:52:29 -05:00
middleware Security audit remediation: auth, IDOR, XSS, hardening 2026-04-11 22:48:07 -05:00
player Android + web player: handle device_token authentication 2026-04-11 22:52:52 -05:00
routes Fix 8 security findings from Phase 3 audit + device-detail banner refresh 2026-04-13 21:36:16 -05:00
services Phase 2: schedules accept playlist_id, scheduler overrides device playlist 2026-04-11 22:07:36 -05:00
ws Phase 3: playlist publish/draft state with auto-publish from device detail 2026-04-13 20:52:29 -05:00
config.js Initial open source release 2026-04-08 12:14:53 -05:00
package-lock.json Initial open source release 2026-04-08 12:14:53 -05:00
package.json Initial open source release 2026-04-08 12:14:53 -05:00
server.js Security audit remediation: auth, IDOR, XSS, hardening 2026-04-11 22:48:07 -05:00