6b1ef7dcfa
CRITICAL security fix: In per-user notification mode, the notification runner was fetching ALL active bills globally and sending each bill's details to every opted-in recipient regardless of ownership. This meant User A's bill names, amounts, and due dates could be emailed to User B. Fix: Added ownership filter in the recipient loop: if (allowUserConfig && bill.user_id !== recipient.id) continue; Also added a defensive guard for bills with no user_id (orphaned bills), which are now skipped with a console.warn instead of being broadcast. Global notification mode (single admin recipient) is unaffected. Security audit: Private_Hudson confirmed the fix is airtight. All other routes (bills, payments, tracker, analytics, export, calendar, summary, categories) properly scope data by user_id. Version bump: 0.23.1 → 0.23.2 (security patch) |
||
|---|---|---|
| .. | ||
| components | ||
| contexts | ||
| hooks | ||
| lib | ||
| pages | ||
| public/img | ||
| App.jsx | ||
| api.js | ||
| index.css | ||
| main.jsx | ||