Dispatcharr/apps
SergeantPanda 29228612aa
Some checks are pending
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
Frontend Tests / test (push) Waiting to run
perf/fix: eliminate per-tick DB queries in stats; fix channel notifications
- Write channel_name (and stream_name fallback) into Redis metadata at
  channel init time; read directly from Redis in get_basic_channel_info,
  removing Stream and M3UAccountProfile DB queries on every stats tick
- Pass channel.name from views.py into ChannelService.initialize_channel
  via new optional channel_name param, skipping the redundant Channel DB
  lookup on the normal streaming path
- Pass stream_name from get_stream_info_for_switch through change_stream_url
  into _update_channel_metadata, skipping the Stream DB lookup on switches
- Resolve m3u_profile_name on the frontend from the playlists store instead
  of querying the DB per tick; StreamConnectionCard builds an id→profile map
- Fix channel start notification showing no name and stop notification
  showing UUID: both now use channel_name from the stats WebSocket payload
2026-04-21 18:55:38 -05:00
..
accounts security: Extended rate limiting to the session-auth login alias (POST /api/accounts/auth/login/). It now delegates entirely to TokenObtainPairView, inheriting its throttle, network access check, and audit logging, and returns JWT tokens instead of a session cookie (the session-based response was unusable since SessionAuthentication is not in DEFAULT_AUTHENTICATION_CLASSES). Both endpoints share the same "login" throttle scope, so attempts across either path count against the same per-IP limit. 2026-04-10 19:54:10 -05:00
api initial connect feature 2026-02-08 09:29:22 -05:00
backups security: Fixed path traversal vulnerability in file uploads. The M3U account upload (apps/m3u/api_views.py), logo upload (apps/channels/api_views.py), and backup upload (apps/backups/api_views.py) all used the uploaded filename directly without sanitization. os.path.join() discards all preceding components when it encounters an absolute path segment, and pathlib's / operator behaves identically; a relative ../ sequence also escapes via OS path resolution at open() time. All three upload paths now strip directory components via Path(name).name and validate the resolved path remains within the intended upload directory. Exploiting any of these required admin credentials. 2026-04-09 21:32:36 -05:00
channels Bug Fix: EPG channel name vlaue too long for type character varying(255) (Fixes #1134) 2026-04-21 09:23:35 -05:00
connect Bug Fix: Fixed several incorrect or incomplete OpenAPI (@extend_schema) schemas across the API 2026-04-11 17:02:07 -05:00
dashboard modified database fields for consistency, removed custom_url from streams (no longer needed) 2025-03-16 09:07:10 -04:00
epg Bug Fix: EPG channel name vlaue too long for type character varying(255) (Fixes #1134) 2026-04-21 09:23:35 -05:00
hdhr security: 2026-04-09 21:36:51 -05:00
m3u Enhancement: The default profile in the M3U profiles editor now exposes Search Pattern and Replace Pattern fields 2026-04-21 17:20:45 -05:00
output performance: 2026-04-16 13:19:19 -05:00
plugins fix(migration): Fix plugin repo migration that specified AutoField for id instead of BigAutoField. 2026-04-14 16:36:16 -05:00
proxy perf/fix: eliminate per-tick DB queries in stats; fix channel notifications 2026-04-21 18:55:38 -05:00
vod fix: clear previous failure entries after successful logo fetch in LogoViewSet and VODLogoViewSet 2026-04-14 13:34:17 -05:00