Close citation/source living-person leak; add on-demand tree purge #245
Reference in New Issue
Block a user
Delete Branch "citation-redaction-and-tree-purge"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
1. Privacy fix (NN#2/NN#3) — citation/source redaction
The citation & source list endpoints gated only on
can_view_tree, so a non-member on a public/unlisted/site_memberstree could enumerate citations and sources tied to a redacted living person — leaking that they exist and have sourced facts (and possibly their name via a source title). #46 closed this for events/media/names/relationships but not citations/sources.Now
citation_service.list_citationsandsource_service.{list_sources,get_source}delegate non-member reads topublic_view_service(same pattern as #46):person_id,name_id,event_id(person or both-partner), andrelationship_id(both-partner) targets.Tests cover all four citation target types, source withholding, the 404, and member-sees-all.
2. On-demand tree purge
Owners can permanently delete a soft-deleted tree now instead of waiting out the 30-day auto-purge.
POST /trees/{id}/purge(owner-only): tree must be in the trash + retype its name to confirm. Media objects are deleted from storage, then oneDELETEontreescascades all tree data via thetree_id ON DELETE CASCADE; the audit entry survives (tree_id SET NULL). Frontend gains a Delete forever button on the Recently-deleted list. No migration.Suite: 102 passing. (Your three June-7 trashed trees can now be purged from /trees once this deploys, rather than waiting for July 7.)
🤖 Generated with Claude Code