Gauthier 946bdecec5 Merge commit from fork ...

This PR fixes a security issue where authenticated users could access and modify data belonging to
other users. The isOwnProfileOrAdmin() middleware was missing from several push subscription API
routes. As a result, any authenticated user on the instance could manipulate the userId parameter in
the URL to view or delete the push subscriptions of other users.

2026-02-28 00:58:50 +08:00

754 B

Raw Blame History

View Raw