Warning
Security Vulnerability: All v4 versions affected, /api/user/files/transaction has a vulnerability in which any authenticated user is allowed to modify/delete files owned by other users. This is only possible if the attacker knows the file ID's and is making authenticated requests. All users are strongly advised to update immediately. If there are no other users you don't really need to worry ig.
What's changed
- fixed multiple db connections on offloaded threads
- ⚠️ fixed any user file modification/deletion on transactional api
- mostly under the hood changes
- refactor upload logic
- refactor thumbnail logic
- updated packages
- nix flake uses devenv now for easier postgres/minio setup
Full Changelog: v4.2.1...v4.2.2