This PR fixes a security issue where authenticated users could access and modify data belonging to
other users. The isOwnProfileOrAdmin() middleware was missing from several push subscription API
routes. As a result, any authenticated user on the instance could manipulate the userId parameter in
the URL to view or delete the push subscriptions of other users.
Add ownership check to GET /api/v1/user/:id so the full user object(including eager-loaded settings
with notification credentials) is onlyreturned to the user themselves or MANAGE_USERS admins. All
otherauthenticated users receive a stripped response (which is the intended behaviour as
https://github.com/sct/overseerr/pull/3695#issuecomment-1817827774). Also expands
User.filteredFields to strip sensitive fileds to prevent leaking credentials
Fix a logic flaw in the jellyfin auth guard that allowed unauthenticated users to register accounts
on Plex-configured instances by authenticating against an attacker-controlled Jellyfin server.
* fix(servarr): add timeout to Radarr/Sonarr API requests to prevent infinite loading
Adds a 5-second timeout to all Radarr/Sonarr API requests and displays a warning banner when
services are unreachable. This prevents the Recent Requests section and request list pages from
hanging indefinitely when a configured service has connection issues.
fix#2374
* fix(requests): only show service error banner to users with advanced permissions
* chore(deps): update dependencies and fix security vulnerabilities
Update TypeScript 4.9 → 5.4. Update Zod 3 → 4. Update nodemailer 6 → 7. Update @typescript-eslint
packages to v7. Update xml2js, undici, lodash, axios, swr, winston- Add pnpm.overrides for
transitive dependency vulnerabilities
* chore: fix import ordering for TypeScript 5.4 compatibility
prettier-plugin-organize-imports behaves differently with TypeScript 5.4 vs 4.9, causing CI
formatting checks to fail. This reformats imports to match the ordering expected by the plugin with
the upgraded TS version.
PR #1543 introduced resolution checking to check 4k from non4k media when users have both server
types configured with the same service. Howerver, this causes false deletions for users with only a
single non4k service when radarr upgrades file to 4k resolution. This fix only applies resolution to
checking when both 4k and non4k servers are configured. Otherwise then if file exists then it counts
as available
