mirror of
https://github.com/screentinker/screentinker.git
synced 2026-05-15 07:32:23 -06:00
6a0e5a28a9
Extend the public /api/content/:id/file gate to unlock content referenced by widgets (previously only playlists unlocked it), so device browsers and kiosk iframes can fetch logos and background images that widgets embed. Security: scope the widget lookup to the content owner's widgets only (w.user_id = content.user_id). Otherwise a user could unlock another user's content file by creating their own widget whose config references the victim's content UUID. The pre-existing playlist gate has the same shape and is left for a separate fix. Also adds a 30/min rate limit on POST /api/widgets/preview, which inlines user content as base64 and is memory-intensive. Perf note: the widgets.config LIKE scan is O(n). Fine at current scale; revisit with a content_widget_refs join table if the widget table grows. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| db | ||
| middleware | ||
| player | ||
| routes | ||
| services | ||
| ws | ||
| config.js | ||
| package-lock.json | ||
| package.json | ||
| server.js | ||