Dispatcharr/apps
SergeantPanda f89df3284e fix(epg): fix and clean up EPG program search API and tests
- Fix test user: set user_level=1 (STANDARD), REMOTE_ADDR="127.0.0.1" to
  satisfy IsStandardUser + network_access_allowed checks; move user creation
  to setUpTestData (1 DB write per class instead of per test)
- Fix parenthesis parser: group_result was computed then silently discarded;
  rewrite parse_expression to recursively compose Q objects correctly so
  queries like "(Newcastle OR NEW) AND (Villa OR AST)" work as documented
- Fix field selection performance: resolve allowed fields before serialization
  and pass as context; get_channels/get_streams short-circuit when not requested
- Move import re to top of file; remove mid-file alias regex_module
- Convert ProgramSearchAPIView standalone APIView into @action(detail=False)
  on ProgramViewSet so the router registers programs/search/ before
  programs/{pk}/ automatically, eliminating the URL ordering dependency
- Scope permission to the action directly via permission_classes=[IsStandardUser]
  rather than adding "search" to the global permission_classes_by_action dict
- Add test_title_parenthetical_grouping to cover the fixed parser path
- Tighten existing test assertions (case-insensitive, whole-word, description
  AND, page_size cap) to catch regressions rather than passing vacuously

Co-authored-by: Copilot <copilot@github.com>
2026-04-24 14:37:12 -05:00
..
accounts security: Extended rate limiting to the session-auth login alias (POST /api/accounts/auth/login/). It now delegates entirely to TokenObtainPairView, inheriting its throttle, network access check, and audit logging, and returns JWT tokens instead of a session cookie (the session-based response was unusable since SessionAuthentication is not in DEFAULT_AUTHENTICATION_CLASSES). Both endpoints share the same "login" throttle scope, so attempts across either path count against the same per-IP limit. 2026-04-10 19:54:10 -05:00
api initial connect feature 2026-02-08 09:29:22 -05:00
backups security: Fixed path traversal vulnerability in file uploads. The M3U account upload (apps/m3u/api_views.py), logo upload (apps/channels/api_views.py), and backup upload (apps/backups/api_views.py) all used the uploaded filename directly without sanitization. os.path.join() discards all preceding components when it encounters an absolute path segment, and pathlib's / operator behaves identically; a relative ../ sequence also escapes via OS path resolution at open() time. All three upload paths now strip directory components via Path(name).name and validate the resolved path remains within the intended upload directory. Exploiting any of these required admin credentials. 2026-04-09 21:32:36 -05:00
channels Bug Fix: EPG channel name vlaue too long for type character varying(255) (Fixes #1134) 2026-04-21 09:23:35 -05:00
connect Enhancement: VOD start/stop notifications and system events. 2026-04-23 18:03:02 -05:00
dashboard modified database fields for consistency, removed custom_url from streams (no longer needed) 2025-03-16 09:07:10 -04:00
epg fix(epg): fix and clean up EPG program search API and tests 2026-04-24 14:37:12 -05:00
hdhr security: 2026-04-09 21:36:51 -05:00
m3u Enhancement: The default profile in the M3U profiles editor now exposes Search Pattern and Replace Pattern fields 2026-04-21 17:20:45 -05:00
output performance: 2026-04-16 13:19:19 -05:00
plugins fix(migration): Fix plugin repo migration that specified AutoField for id instead of BigAutoField. 2026-04-14 16:36:16 -05:00
proxy Enhancement: VOD start/stop notifications and system events. 2026-04-23 18:03:02 -05:00
vod fix: clear previous failure entries after successful logo fetch in LogoViewSet and VODLogoViewSet 2026-04-14 13:34:17 -05:00