Bug Fix: Fixed the XC Password field in the User modal being editable by standard users

This commit is contained in:
SergeantPanda 2026-04-12 16:45:58 -05:00
parent 123509eb9d
commit 95fba1cb84
2 changed files with 11 additions and 3 deletions

View file

@ -54,6 +54,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Fixed the `next_stream` rotation endpoint applying the same class of bug: `get_stream_info_for_switch()` was called and returned `m3u_profile_id`, but the result was dropped when forwarding to `ChannelService.change_stream_url()`, so `update_stream_profile()` was never called and `profile_connections` counters were not updated after an automatic stream rotation.
- Fixed stream switch metadata (`url`, `user_agent`, `stream_id`, `m3u_profile`) being written to Redis before the switch was confirmed to succeed. If the switch failed, URL unchanged or exception during teardown, Redis described a URL not actually in use. Metadata is now written only after `update_url()` returns `True`; on failure the owner writes `stream_manager.url` back as the ground truth. The non-owner no longer pre-writes metadata at all, all needed info is carried in the pubsub payload and written by the owner after confirmation.
- Fixed the Stats page "Active Stream" dropdown not updating when a stream switch occurs. The card was matching the active stream by comparing the URL stored in Redis against stream URLs from the database, which failed silently when the stored URL was a transformed/rewritten value that didn't substring-match the original. The dropdown now matches by `stream_id` (the authoritative value already present in the stats payload) and re-runs only when `stream_id` changes, so the normal polling interval drives updates with no extra renders.
- Fixed the XC Password field in the User modal being editable by standard users despite the backend (`PATCH /api/accounts/users/me/`) stripping `xc_password` from `custom_properties` for non-admin users, causing the change to silently revert on save. The field and its generate button are now disabled with an explanatory description when the current user is not an administrator.
- Fixed uploading a local M3U file with no expiration date set sending the string `"null"` as the `exp_date` field in the `FormData` request, causing a 400 validation error from the API. Null/undefined values are now skipped when building the `FormData` body, matching the behaviour already present in the update path.
- Fixed `PATCH /api/channels/channels/edit/bulk/` returning a 500 error when the request body included a `streams` list. The bulk edit handler was iterating `validated_data` directly and calling `setattr(channel, "streams", value)`, which Django prohibits on ManyToMany fields. Also added an `@extend_schema` decorator so the Swagger UI correctly documents the endpoint as accepting a JSON array and shows the `streams` field. (Fixes #883)
- Fixed several incorrect or incomplete OpenAPI (`@extend_schema`) schemas across the API:

View file

@ -334,8 +334,9 @@ const User = ({ user = null, isOpen, onClose }) => {
<Tabs.Panel value="epg">
<Stack gap="sm">
<Text size="sm" c="dimmed">
These defaults apply when no URL parameters are specified
useful for XC clients that cannot pass custom query parameters.
These defaults apply when no URL parameters are specified and
can be useful for XC clients that cannot pass custom query
parameters.
</Text>
<Group grow align="flex-start">
<NumberInput
@ -362,7 +363,12 @@ const User = ({ user = null, isOpen, onClose }) => {
<Stack gap="sm">
<TextInput
label="XC Password"
description="Clear to disable XC API"
description={
isAdmin
? 'Clear to disable XC API'
: 'XC password can only be changed by an administrator'
}
disabled={!isAdmin}
{...form.getInputProps('xc_password')}
key={form.key('xc_password')}
rightSectionWidth={30}
@ -372,6 +378,7 @@ const User = ({ user = null, isOpen, onClose }) => {
size="sm"
color="white"
onClick={generateXCPassword}
disabled={!isAdmin}
>
<RotateCcwKey />
</ActionIcon>