Maurice 16277a3811 security: fix missing trip access checks on Immich routes (GHSA-pcr3-6647-jh72) ...

security: require auth for uploaded photos (GHSA-wxx3-84fc-mrx2)

GHSA-pcr3-6647-jh72 (HIGH):
- Add canAccessTrip check to all /trips/:tripId/photos and
  /trips/:tripId/album-links endpoints
- Prevents authenticated users from accessing other trips' photos

GHSA-wxx3-84fc-mrx2 (LOW):
- /uploads/photos now requires JWT auth token or valid share token
- Covers and avatars remain public (needed for login/share pages)
- Files were already blocked behind auth

2026-04-01 15:46:08 +02:00

..

public

Merge branch 'perf-test' of https://github.com/jubnl/TREK into dev

2026-03-31 23:10:02 +02:00

src

security: fix missing trip access checks on Immich routes (GHSA-pcr3-6647-jh72)

2026-04-01 15:46:08 +02:00

.env.example

docs: document all env vars and remove SMTP/webhook from docker config

2026-03-31 22:24:07 +03:00

package-lock.json

Merge branch 'pr-125'

2026-03-30 23:10:34 +02:00

package.json

Merge branch 'pr-125'

2026-03-30 23:10:34 +02:00

reset-admin.js

Stabilize core: better-sqlite3, versioned migrations, graceful shutdown

2026-03-22 17:52:24 +01:00

tsconfig.json

some fixes

2026-03-30 06:59:24 +02:00