Kailash Nadh 4b805f885b Fix broken subscribers:sql_query permission. ... This permission was never checked for and had an unintended consequence of allowing a non-superadmin user to execute arbitrary queries (expected), but getting a superadmin session by joining the `sessions` table. This patch: - Introduces a table allowlist that uses the Postgres query plan (JSON) and validate the referenced tables against the allowed ones on arbitrary queries issued to the various `/subscribers` APIs. - Explicitly adds the missing `subscribers:sql_query` permission check to all handlers that accept `query`. - Introduces a new `search` parameter on all handlers that accept `query`. This parameter is an interface over the default name/email substring search instead of relying on `query`.		2025-04-18 14:15:47 +05:30
..
bounces.go	Fix typo and formatting (#2028)	2024-08-30 13:24:45 +05:30
campaigns.go	Fix a number of cosmetic inconsistenies across handlers and functions.	2025-04-05 13:41:31 +05:30
core.go	Remove forcing unique filename on all media uploads.	2025-03-29 15:21:32 +05:30
dashboard.go	Add support for caching slow queries on large databases.	2024-01-27 15:51:12 +05:30
lists.go	Fix a number of cosmetic inconsistenies across handlers and functions.	2025-04-05 13:41:31 +05:30
media.go	Fix a number of cosmetic inconsistenies across handlers and functions.	2025-04-05 13:41:31 +05:30
roles.go	Introduce LISTMONK_ADMIN_API_USER to --install. Closes #2314, #2322.	2025-04-10 13:06:04 +05:30
settings.go
subscribers.go	Fix broken subscribers:sql_query permission.	2025-04-18 14:15:47 +05:30
subscriptions.go	Fix broken subscribers:sql_query permission.	2025-04-18 14:15:47 +05:30
templates.go	Disable template type updation after creation to prevent breaking of campaign relations.	2022-07-09 10:36:12 +05:30
users.go	Refactor user auth models and permission checks.	2025-04-05 00:19:27 +05:30