Fix security issues.

2025-08-04 13:45:13 +02:00
parent f98e8f3e71
commit 64b8c3fccb
7 changed files with 1100 additions and 174 deletions
--- a/models/note.py
+++ b/models/note.py
@@ -299,8 +299,9 @@ class Note(db.Model):
    @property
    def file_url(self):
        """Get the URL to access the uploaded file"""
-        if self.file_path:
-            return f'/uploads/notes/{self.file_path}'
+        if self.file_path and self.id:
+            from flask import url_for
+            return url_for('notes_api.serve_note_file', note_id=self.id)
        return None
    
    @property