00643c778e
- SSRF: block private/internal URLs in image cache fetch - SSRF: block private/internal URLs in RSS feed fetch (scheme guard) - SSRF: block private/internal URLs in CalDAV URL setting - Auth: require login for GET /api/images/<id> (was unauthenticated) - Auth: restrict Ollama model pull/delete to admin users only - Info disclosure: remove email from /api/users/search response - OAuth: skip email-based account linking when email_verified is false - Config: raise hard error on default SECRET_KEY when SECURE_COOKIES=true - Rate limit: document proxy header requirement; add startup warning - XSS: remove src/alt from global DOMPurify ADD_ATTR allowlist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
30 lines
930 B
Python
30 lines
930 B
Python
from quart import Blueprint, jsonify, request
|
|
from sqlalchemy import or_, select
|
|
|
|
from fabledassistant.auth import get_current_user_id, login_required
|
|
from fabledassistant.models import async_session
|
|
from fabledassistant.models.user import User
|
|
|
|
users_bp = Blueprint("users", __name__, url_prefix="/api/users")
|
|
|
|
|
|
@users_bp.route("/search", methods=["GET"])
|
|
@login_required
|
|
async def search_users():
|
|
uid = get_current_user_id()
|
|
q = (request.args.get("q") or "").strip()
|
|
if len(q) < 2:
|
|
return jsonify({"users": []})
|
|
like = f"{q}%"
|
|
async with async_session() as session:
|
|
users = (await session.execute(
|
|
select(User).where(
|
|
User.id != uid,
|
|
or_(User.username.ilike(like), User.email.ilike(like)),
|
|
).limit(10)
|
|
)).scalars().all()
|
|
return jsonify({"users": [
|
|
{"id": u.id, "username": u.username}
|
|
for u in users
|
|
]})
|