What's Changed
Security:
- [Critical] Unauthenticated Path Traversal in Public Share Delete Allows Arbitrary File Deletion GHSA-fwj3-42wh-8673 (thanks @Yesuhei)
- [Moderate] Stored XSS via SVG File in Public Share (Missing CSP Header) GHSA-mmpx-jh39-wrv6 (thanks @MuxiLyuLucy)
Notes:
- Creating/deleting password-based user requires reauthentication (#2112)
BugFixes:
- Fix context menu items and adjust when items show to more accurately reflect permissions.
- Quick download icon style after icon change.
- Missing error popup for resource creation actions (upload/create)
- EnforcedOtp login failure until restart (#2330)
- Thumbnails for Folders only display sporadically (#2353)
- Unwanted user scope change for users with non-default scopes (#2347)
- Fix sidebar source info totals (#2321) (#2322) (#982)
- Error uploading a large number of photos -- only 100 items get uploaded (#2348)
- TOTP works for admin but fails for standard users on re-login until Docker is restarted (#2330)
- No Loginfields shown if password authentication is set to false (#2331)
Full Changelog: v1.3.0-stable...v1.3.1-stable