H1K0
945df7ef8a
Two broken-access-control holes: - PUT/DELETE /files/:id/tags(/:tag_id) and GET /files/:id/tags went straight to TagService with no ACL check, letting any authenticated user read or rewrite tags on anyone's private files. The handlers now require view (list) or edit (mutate) on the target file via new FileService.AuthorizeView/AuthorizeEdit helpers. - POST /files/import accepted an arbitrary host path from any user, turning it into an arbitrary server-side file read. It is now admin-only and the supplied path is confined to IMPORT_PATH. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>