SergeantPanda
f98bb183da
Bug Fix: Fixed a provider TCP connection leak in the VOD proxy
2026-04-13 19:33:22 -05:00
SergeantPanda
a3f7d465d5
Merge pull request #1125 from firestaerter3:fix/vod-profile-connections-race-conditions
...
fix(vod-proxy): eliminate profile_connections counter stuck-at-nonzero races
2026-04-13 19:11:12 -05:00
SergeantPanda
55048b60e3
fix(vod-proxy): prevent double profile decrement and clean up stream counter naming
2026-04-13 18:40:33 -05:00
SergeantPanda
d73071b20f
Merge branch 'dev' of https://github.com/Dispatcharr/Dispatcharr into pr/firestaerter3/1125
2026-04-13 17:42:43 -05:00
SergeantPanda
f8407610c8
Bug Fix/Enhancement: Improve logic for get xc epg endpoint for short epgs. Also support epg_days from xc user for xc epg endpoint.
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
Frontend Tests / test (push) Has been cancelled
2026-04-12 18:51:40 -05:00
SergeantPanda
9f3d4ff7ff
Enhancement: Improved the EPG response cache key
2026-04-12 18:19:19 -05:00
SergeantPanda
62848c0ea0
Enhancement: Improved the HDHR, M3U, and EPG URL builder popovers in the Channels table
2026-04-12 17:24:17 -05:00
SergeantPanda
95fba1cb84
Bug Fix: Fixed the XC Password field in the User modal being editable by standard users
2026-04-12 16:45:58 -05:00
SergeantPanda
123509eb9d
Enhancement: Redesigned the User settings modal with a tabbed layout
2026-04-12 16:39:35 -05:00
SergeantPanda
ba967f47d9
Enhancement: **EPG historical data window**: the EPG XML output and XC EPG API now support a prev_days URL parameter (e.g. &prev_days=3) to include past programs in the EPG response. This allows third-party players that request historical program schedules to receive the data they need. The EPG URL builder in the Channels page exposes "Days forward" and "Days back" controls. Per-user defaults for both values (epg_days / epg_prev_days) can be configured in the User settings modal and are applied automatically when no URL parameter is present. ( Closes #1154 )
2026-04-12 16:34:15 -05:00
SergeantPanda
a83b9fdf62
Enhancement: EPG channel scanning now automatically removes stale EPGData entries.
2026-04-12 15:37:28 -05:00
SergeantPanda
298ca3260e
tests: Update frontend tests for recent frontend changes (Floating Video Player and Stream Connection Card)
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
Frontend Tests / test (push) Waiting to run
2026-04-12 12:37:02 -05:00
SergeantPanda
e69a8f3449
Bug Fix: Stats page "Active Stream" dropdown not updating when a stream switch occurs
2026-04-12 12:28:39 -05:00
SergeantPanda
b629836b3d
Bug Fix: Fixed stream switch metadata (url, user_agent, stream_id, m3u_profile) being written to Redis before the switch was confirmed to succeed
2026-04-12 12:02:20 -05:00
SergeantPanda
65d14644b4
Bug Fix: Fixed the next_stream rotation endpoint applying the same class of bug
2026-04-12 11:36:08 -05:00
SergeantPanda
ef030b3da0
Bug Fix: Manual stream selection from the Stats page not enforcing M3U profile connection limits in multi-worker deployments
2026-04-12 10:03:46 -05:00
SergeantPanda
ad46a10ce6
Bug Fix: Uploading a local M3U file with no expiration date set sending the string "null" as the exp_date field in the FormData request, causing a 400 validation error from the API. Null/undefined values are now skipped when building the FormData body, matching the behaviour already present in the update path.
2026-04-12 09:04:49 -05:00
SergeantPanda
f1a82e8843
Bug Fix: Fixed several incorrect or incomplete OpenAPI (@extend_schema) schemas across the API
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
Frontend Tests / test (push) Waiting to run
2026-04-11 17:02:07 -05:00
SergeantPanda
1adbc70f53
Bug Fix: Fix bulk channel edit API when including streams array. ( Fixes #883 )
2026-04-11 16:11:45 -05:00
SergeantPanda
bfec229ca9
Enhancements:
...
- Rewrote the M3U line parser as an `iter_m3u_entries` generator that owns the full per-entry state machine. Intermediate directive lines between `#EXTINF` and the stream URL are now handled correctly rather than corrupting the pending entry or being silently misassigned. A `#EXTINF` with no following URL is discarded with a warning instead of carrying over a `url`-less entry into batch processing. Attribute keys are normalised to lowercase during parsing (provider attribute names remain case-insensitive end-to-end). The `#EXTINF` attribute regex is pre-compiled at module load, and attribute lookups use O(1) `dict.get()` instead of linear scans — approximately 10% faster parsing on large M3U files.
- Added support for the `#EXTGRP` directive in M3U files. When a `group-title` attribute is absent from the `#EXTINF` line, the value from a following `#EXTGRP:` line is used as the group. An explicit `group-title` attribute always takes priority. (Closes #1088 )
- Added accumulation of `#EXTVLCOPT` directives per entry. Options are stored as a list under `vlc_opts` inside the stream's `custom_properties`, available for downstream use (e.g. passing VLC-specific options to the player). This is for a planned future enhancement and can also be utlized with the API.
2026-04-11 14:57:52 -05:00
SergeantPanda
fd7ac0029d
Enhancement: M3U stream name parsing now uses the comma text (the canonical display title per the base #EXTINF spec) as the primary stream name, falling back to tvc-guide-title, then tvg-name, rather than preferring tvg-name first. Providers that use tvg-name as an EPG key and put the human-readable title after the comma will now display the correct name. Providers that duplicate the same value in both fields are unaffected. ( Fixes #1081 )
2026-04-11 12:46:36 -05:00
SergeantPanda
4a6724c94b
Enhancement: FloatingVideo player: the native video controls (timeline, play/pause, volume) are now hidden by default when a live stream starts and only appear when the user hovers over the player.
2026-04-11 09:34:38 -05:00
SergeantPanda
8afaa01184
security: Extended rate limiting to the session-auth login alias (POST /api/accounts/auth/login/). It now delegates entirely to TokenObtainPairView, inheriting its throttle, network access check, and audit logging, and returns JWT tokens instead of a session cookie (the session-based response was unusable since SessionAuthentication is not in DEFAULT_AUTHENTICATION_CLASSES). Both endpoints share the same "login" throttle scope, so attempts across either path count against the same per-IP limit.
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
2026-04-10 19:54:10 -05:00
SergeantPanda
e861fca092
Enhancement: Enhanced Swagger UI authorization dialog: registered a custom OpenApiAuthenticationExtension for ApiKeyAuthentication so drf-spectacular now generates an ApiKeyAuth (apiKey) entry alongside jwtAuth. Both entries include descriptive text linking to the relevant endpoints (/api/accounts/token/, /api/accounts/api-keys/generate/, /api/accounts/api-keys/revoke/).
2026-04-10 18:29:13 -05:00
SergeantPanda
f83523cfa2
changelog: Update changelog for plugin hub.
2026-04-10 17:50:02 -05:00
SergeantPanda
d8d0695963
Merge pull request #1155 from sv-dispatcharr/feat/plugin-hub
...
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
Frontend Tests / test (push) Waiting to run
Base Image Build / prepare (push) Has been cancelled
Base Image Build / docker (amd64, ubuntu-24.04) (push) Has been cancelled
Base Image Build / docker (arm64, ubuntu-24.04-arm) (push) Has been cancelled
Base Image Build / create-manifest (push) Has been cancelled
[Feature]: Add in-app plugin repo browser & management
2026-04-10 15:01:09 -05:00
Seth Van Niekerk
03b50420f5
update background color for AvailablePluginCard and PluginCard components; adjust button group alignment in PluginBrowsePage
2026-04-10 15:40:34 -04:00
Seth Van Niekerk
9734bca239
fix: update author display in PluginCard test
2026-04-10 15:22:08 -04:00
Seth Van Niekerk
e8e1560106
simplify component structure and improve layout responsiveness
2026-04-10 15:17:01 -04:00
Seth Van Niekerk
2573928e2a
enhance plugin installation and manifest fetching error handling with code review suggestions
2026-04-10 14:44:07 -04:00
Seth Van Niekerk
1cda7b9439
feat: plugin hub
2026-04-10 13:53:45 -04:00
SergeantPanda
192a134c04
changelog: Update changelog for python package updates/additions.
2026-04-10 12:30:58 -05:00
SergeantPanda
9b4d18bc18
Merge branch 'main' of https://github.com/Dispatcharr/Dispatcharr into dev
2026-04-10 12:26:31 -05:00
SergeantPanda
8eb22ce45a
Enhancement: Add python-gnupg to dependencies for plugin store.
Base Image Build / prepare (push) Has been cancelled
Build and Push Multi-Arch Docker Image / build-and-push (push) Has been cancelled
Base Image Build / docker (amd64, ubuntu-24.04) (push) Has been cancelled
Base Image Build / docker (arm64, ubuntu-24.04-arm) (push) Has been cancelled
Base Image Build / create-manifest (push) Has been cancelled
2026-04-10 12:24:19 -05:00
SergeantPanda
ff60005442
chore: Updated python packages.
...
- `Django` 6.0.3 → 6.0.4
- `djangorestframework` 3.16.1 → 3.17.1
- `requests` 2.33.0 → 2.33.1
- `gevent` 25.9.1 → 26.4.0
- `rapidfuzz` 3.14.3 → 3.14.5
- `sentence-transformers` 5.3.0 → 5.4.0
- `lxml` 6.0.2 → 6.0.3
2026-04-10 12:16:49 -05:00
SergeantPanda
06358a0333
Merge pull request #1190 from Dispatcharr/hardening
...
Hardening
2026-04-10 11:34:03 -05:00
SergeantPanda
c3fb9c0073
security: Fixed missing network_access_allowed checks in the VOD proxy. stream_vod, head_vod, stream_xc_movie, and stream_xc_episode were not checking the STREAMS network policy, unlike the equivalent TS proxy endpoints.
2026-04-10 11:09:27 -05:00
SergeantPanda
fa9a7868ff
security: proxy streaming endpoints (stream_ts, stream_xc, stream_vod, head_vod, stream_xc_movie, stream_xc_episode) use @permission_classes([AllowAny]) (access is controlled by the per-stream-type network allow-list inside the view body); the UserAgentViewSet, StreamProfileViewSet, CoreSettingsViewSet, and ProxySettingsViewSet gained get_permissions() methods mapping read actions to IsStandardUser and write actions to IsAdmin; and AuthViewSet.logout was updated to return [Authenticated()].
2026-04-10 10:47:50 -05:00
SergeantPanda
66ee67da30
security: Change from default of "Authenticated" to "IsAdmin"
2026-04-10 10:46:16 -05:00
SergeantPanda
289a8f48d0
security: Update frontend packages to mitigate CVE's.
2026-04-10 08:50:13 -05:00
SergeantPanda
04a684b359
security: Removed CORS_ALLOW_CREDENTIALS = True from CORS configuration. Dispatcharr authenticates via JWT Authorization headers and API keys — not cookies — so credentials are never sent cross-origin by browsers. The setting was also redundant: browsers reject Access-Control-Allow-Credentials: true when Access-Control-Allow-Origin is a wildcard (*), so it had no effect in practice.
2026-04-10 08:34:13 -05:00
SergeantPanda
b535f28ac5
security: Added rate limiting to the login endpoint (POST /api/accounts/token/) using DRF's built-in throttling. A LoginRateThrottle (3 requests/minute per IP, sliding window) is applied to the TokenObtainPairView. Repeated failed attempts from the same IP receive 429 Too Many Requests.
2026-04-09 21:46:50 -05:00
SergeantPanda
47427d4b0f
security:
...
- Set `DEFAULT_PERMISSION_CLASSES` to `Authenticated` in the DRF configuration.
- Explicitly marked the HDHomeRun discovery endpoints (`DiscoverAPIView`, `LineupAPIView`, `LineupStatusAPIView`, `HDHRDeviceXMLAPIView`) and the version endpoint with `permission_classes = [AllowAny]` to document their intentionally public access now that the global default is `Authenticated`.
2026-04-09 21:36:51 -05:00
SergeantPanda
7083c512be
security: Fixed path traversal vulnerability in file uploads. The M3U account upload (apps/m3u/api_views.py), logo upload (apps/channels/api_views.py), and backup upload (apps/backups/api_views.py) all used the uploaded filename directly without sanitization. os.path.join() discards all preceding components when it encounters an absolute path segment, and pathlib's / operator behaves identically; a relative ../ sequence also escapes via OS path resolution at open() time. All three upload paths now strip directory components via Path(name).name and validate the resolved path remains within the intended upload directory. Exploiting any of these required admin credentials.
2026-04-09 21:32:36 -05:00
SergeantPanda
08545b8c92
security: Prevented users from setting xc_password (and other admin-managed keys) on their own account via the PATCH /api/accounts/users/me/ endpoint.
2026-04-09 21:31:38 -05:00
SergeantPanda
dcefc6541c
chore(cleanup): - Removed dead VODConnectionManager class (apps/proxy/vod_proxy/connection_manager.py) and its associated helpers, which had been superseded by MultiWorkerVODConnectionManager. All active code already used the multi-worker implementation. Removed the unused VODConnectionManager import from vod_proxy/views.py, the unscheduled cleanup_vod_connections task from apps/proxy/tasks.py, and the unscheduled cleanup_vod_persistent_connections task from core/tasks.py.
...
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
Frontend Tests / test (push) Waiting to run
- Removed dead VOD URL routes: `VODPlaylistView` (playlist generation), `VODPositionView` (position tracking), and the class-based `VODStatsView` (replaced by the existing function-based `vod_stats` view).
- Removed dead `updateVODPosition()` API method from `frontend/src/api.js`, which called the now-removed position tracking endpoint.
2026-04-09 19:59:50 -05:00
SergeantPanda
7f64642003
security: Hardened the HLS proxy change_stream endpoint by converting it from a plain Django view to a DRF @api_view with @permission_classes([IsAdmin]), ensuring the endpoint actually enforces admin-only access. The previous decorator arrangement (@csrf_exempt + @permission_classes) had no effect on a plain Django view.
2026-04-09 19:58:40 -05:00
SergeantPanda
df6d821135
changelog: Update changelog for refactor PR.
2026-04-09 18:28:20 -05:00
SergeantPanda
bf409fb240
Merge pull request #1187 from nick4810:tests/frontend-unit-tests
...
Tests/frontend unit tests
2026-04-09 18:21:36 -05:00
SergeantPanda
442e2bdc0e
Remove unused starttime24_long from buildTimePlaceholders, simplified formatTime24.
2026-04-09 17:50:59 -05:00