fix: enforce ownership check on recipe deletion (GHSA-x5v9-9jvh-7c7q) (#7625)

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/app/components/Domain/Recipe/RecipeDialogAddToShoppingList.vue

@@ -321,7 +321,7 @@ async function consolidateRecipesIntoSections(recipes: RecipeWithScale[]) {
         const householdsWithFood = subIng.food?.householdsWithIngredientFood || [];
         ownIngs.push({
           checked: !householdsWithFood.includes(currentHouseholdSlug.value),
-          ingredient: { ...subIng, quantity: (ing.quantity || 1) * (subIng.quantity || 1) },
+          ingredient: subIng,
         });
       }
     }

frontend/app/composables/partials/use-actions-factory.test.ts

@@ -13,9 +13,10 @@ describe("useStoreActions", () => {
 
   const mockStore = ref([]);
   const mockLoading = ref(false);
+  const mockInitialized = ref(false);
 
   test("deleteMany calls deleteOne for each ID and refreshes once", async () => {
-    const actions = useStoreActions("test-store", mockApi, mockStore, mockLoading);
+    const actions = useStoreActions("test-store", mockApi, mockStore, mockLoading, mockInitialized);
 
     mockApi.deleteOne = vi.fn().mockResolvedValue({ response: { data: {} } });
     mockApi.getAll = vi.fn().mockResolvedValue({ data: { items: [] } });
@@ -32,7 +33,7 @@ describe("useStoreActions", () => {
   });
 
   test("deleteMany handles empty array", async () => {
-    const actions = useStoreActions("test-store", mockApi, mockStore, mockLoading);
+    const actions = useStoreActions("test-store", mockApi, mockStore, mockLoading, mockInitialized);
 
     mockApi.deleteOne = vi.fn();
     mockApi.getAll = vi.fn().mockResolvedValue({ data: { items: [] } });
@@ -44,7 +45,7 @@ describe("useStoreActions", () => {
   });
 
   test("deleteMany sets loading state", async () => {
-    const actions = useStoreActions("test-store", mockApi, mockStore, mockLoading);
+    const actions = useStoreActions("test-store", mockApi, mockStore, mockLoading, mockInitialized);
 
     mockApi.deleteOne = vi.fn().mockResolvedValue({});
     mockApi.getAll = vi.fn().mockResolvedValue({ data: { items: [] } });
@@ -55,4 +56,25 @@ describe("useStoreActions", () => {
     await promise;
     expect(mockLoading.value).toBe(false);
   });
+
+  test("refresh sets initialized to true even when store returns empty results", async () => {
+    const localInitialized = ref(false);
+    const actions = useStoreActions("test-store", mockApi, mockStore, mockLoading, localInitialized);
+
+    mockApi.getAll = vi.fn().mockResolvedValue({ data: { items: [] } });
+
+    expect(localInitialized.value).toBe(false);
+    await actions.refresh();
+    expect(localInitialized.value).toBe(true);
+  });
+
+  test("refresh sets initialized to true when store returns items", async () => {
+    const localInitialized = ref(false);
+    const actions = useStoreActions("test-store", mockApi, mockStore, mockLoading, localInitialized);
+
+    mockApi.getAll = vi.fn().mockResolvedValue({ data: { items: [{ id: "1", name: "item" }] } });
+
+    await actions.refresh();
+    expect(localInitialized.value).toBe(true);
+  });
 });

frontend/app/composables/partials/use-actions-factory.ts

@@ -26,6 +26,7 @@ export function useReadOnlyActions<T extends BoundT>(
   api: BaseCRUDAPIReadOnly<T>,
   allRef: Ref<T[] | null> | null,
   loading: Ref<boolean>,
+  initialized: Ref<boolean>,
   defaultQueryParams: Record<string, QueryValue> = {},
 ): ReadOnlyStoreActions<T> {
   function getAll(page = 1, perPage = -1, params = {} as Record<string, QueryValue>) {
@@ -69,6 +70,7 @@ export function useReadOnlyActions<T extends BoundT>(
       allRef.value = data.items;
     }
 
+    initialized.value = true;
     loading.value = false;
   }
 
@@ -89,6 +91,7 @@ export function useStoreActions<T extends BoundT>(
   api: BaseCRUDAPI<unknown, T, unknown>,
   allRef: Ref<T[] | null> | null,
   loading: Ref<boolean>,
+  initialized: Ref<boolean>,
   defaultQueryParams: Record<string, QueryValue> = {},
 ): StoreActions<T> {
   function getAll(page = 1, perPage = -1, params = {} as Record<string, QueryValue>) {
@@ -132,6 +135,7 @@ export function useStoreActions<T extends BoundT>(
       allRef.value = data.items;
     }
 
+    initialized.value = true;
     loading.value = false;
   }
 

frontend/app/composables/partials/use-store-factory.ts

@@ -16,10 +16,11 @@ export const useReadOnlyStore = function <T extends BoundT>(
   storeKey: string,
   store: Ref<T[]>,
   loading: Ref<boolean>,
+  initialized: Ref<boolean>,
   api: BaseCRUDAPIReadOnly<T>,
   params = {} as Record<string, QueryValue>,
 ) {
-  const storeActions = useReadOnlyActions(`${storeKey}-store-readonly`, api, store, loading);
+  const storeActions = useReadOnlyActions(`${storeKey}-store-readonly`, api, store, loading, initialized);
   const actions = {
     ...storeActions,
     async refresh() {
@@ -27,11 +28,12 @@ export const useReadOnlyStore = function <T extends BoundT>(
     },
     flushStore() {
       store.value = [];
+      initialized.value = false;
     },
   };
 
   // initial hydration
-  if (!loading.value && !store.value.length) {
+  if (!loading.value && !initialized.value) {
     actions.refresh();
   }
 
@@ -42,10 +44,11 @@ export const useStore = function <T extends BoundT>(
   storeKey: string,
   store: Ref<T[]>,
   loading: Ref<boolean>,
+  initialized: Ref<boolean>,
   api: BaseCRUDAPI<unknown, T, unknown>,
   params = {} as Record<string, QueryValue>,
 ) {
-  const storeActions = useStoreActions(`${storeKey}-store`, api, store, loading);
+  const storeActions = useStoreActions(`${storeKey}-store`, api, store, loading, initialized);
   const actions = {
     ...storeActions,
     async refresh() {
@@ -53,11 +56,12 @@ export const useStore = function <T extends BoundT>(
     },
     flushStore() {
       store.value = [];
+      initialized.value = false;
     },
   };
 
   // initial hydration
-  if (!loading.value && !store.value.length) {
+  if (!loading.value && !initialized.value) {
     actions.refresh();
   }
 

frontend/app/composables/store/use-category-store.ts

@@ -5,12 +5,16 @@ import { usePublicExploreApi, useUserApi } from "~/composables/api";
 
 const store: Ref<RecipeCategory[]> = ref([]);
 const loading = ref(false);
+const initialized = ref(false);
 const publicLoading = ref(false);
+const publicInitialized = ref(false);
 
 export function resetCategoryStore() {
   store.value = [];
   loading.value = false;
+  initialized.value = false;
   publicLoading.value = false;
+  publicInitialized.value = false;
 }
 
 export const useCategoryData = function () {
@@ -23,10 +27,10 @@ export const useCategoryData = function () {
 
 export const useCategoryStore = function (i18n?: Composer) {
   const api = useUserApi(i18n);
-  return useStore<RecipeCategory>("category", store, loading, api.categories);
+  return useStore<RecipeCategory>("category", store, loading, initialized, api.categories);
 };
 
 export const usePublicCategoryStore = function (groupSlug: string, i18n?: Composer) {
   const api = usePublicExploreApi(groupSlug, i18n).explore;
-  return useReadOnlyStore<RecipeCategory>("category", store, publicLoading, api.categories);
+  return useReadOnlyStore<RecipeCategory>("category", store, publicLoading, publicInitialized, api.categories);
 };

frontend/app/composables/store/use-cookbook-store.ts

@@ -5,17 +5,21 @@ import { usePublicExploreApi, useUserApi } from "~/composables/api";
 
 const cookbooks: Ref<ReadCookBook[]> = ref([]);
 const loading = ref(false);
+const initialized = ref(false);
 const publicLoading = ref(false);
+const publicInitialized = ref(false);
 
 export function resetCookbookStore() {
   cookbooks.value = [];
   loading.value = false;
+  initialized.value = false;
   publicLoading.value = false;
+  publicInitialized.value = false;
 }
 
 export const useCookbookStore = function (i18n?: Composer) {
   const api = useUserApi(i18n);
-  const store = useStore<ReadCookBook>("cookbook", cookbooks, loading, api.cookbooks);
+  const store = useStore<ReadCookBook>("cookbook", cookbooks, loading, initialized, api.cookbooks);
 
   const updateAll = async function (updateData: UpdateCookBook[]) {
     loading.value = true;
@@ -31,5 +35,5 @@ export const useCookbookStore = function (i18n?: Composer) {
 
 export const usePublicCookbookStore = function (groupSlug: string, i18n?: Composer) {
   const api = usePublicExploreApi(groupSlug, i18n).explore;
-  return useReadOnlyStore<ReadCookBook>("cookbook", cookbooks, publicLoading, api.cookbooks);
+  return useReadOnlyStore<ReadCookBook>("cookbook", cookbooks, publicLoading, publicInitialized, api.cookbooks);
 };

frontend/app/composables/store/use-food-store.ts

@@ -5,12 +5,16 @@ import { usePublicExploreApi, useUserApi } from "~/composables/api";
 
 const store: Ref<IngredientFood[]> = ref([]);
 const loading = ref(false);
+const initialized = ref(false);
 const publicLoading = ref(false);
+const publicInitialized = ref(false);
 
 export function resetFoodStore() {
   store.value = [];
   loading.value = false;
+  initialized.value = false;
   publicLoading.value = false;
+  publicInitialized.value = false;
 }
 
 export const useFoodData = function () {
@@ -24,10 +28,10 @@ export const useFoodData = function () {
 
 export const useFoodStore = function (i18n?: Composer) {
   const api = useUserApi(i18n);
-  return useStore<IngredientFood>("food", store, loading, api.foods);
+  return useStore<IngredientFood>("food", store, loading, initialized, api.foods);
 };
 
 export const usePublicFoodStore = function (groupSlug: string, i18n?: Composer) {
   const api = usePublicExploreApi(groupSlug, i18n).explore;
-  return useReadOnlyStore<IngredientFood>("food", store, publicLoading, api.foods);
+  return useReadOnlyStore<IngredientFood>("food", store, publicLoading, publicInitialized, api.foods);
 };

frontend/app/composables/store/use-household-store.ts

@@ -5,20 +5,24 @@ import { usePublicExploreApi, useUserApi } from "~/composables/api";
 
 const store: Ref<HouseholdSummary[]> = ref([]);
 const loading = ref(false);
+const initialized = ref(false);
 const publicLoading = ref(false);
+const publicInitialized = ref(false);
 
 export function resetHouseholdStore() {
   store.value = [];
   loading.value = false;
+  initialized.value = false;
   publicLoading.value = false;
+  publicInitialized.value = false;
 }
 
 export const useHouseholdStore = function (i18n?: Composer) {
   const api = useUserApi(i18n);
-  return useReadOnlyStore<HouseholdSummary>("household", store, loading, api.households);
+  return useReadOnlyStore<HouseholdSummary>("household", store, loading, initialized, api.households);
 };
 
 export const usePublicHouseholdStore = function (groupSlug: string, i18n?: Composer) {
   const api = usePublicExploreApi(groupSlug, i18n).explore;
-  return useReadOnlyStore<HouseholdSummary>("household-public", store, publicLoading, api.households);
+  return useReadOnlyStore<HouseholdSummary>("household-public", store, publicLoading, publicInitialized, api.households);
 };

frontend/app/composables/store/use-label-store.ts

@@ -5,10 +5,12 @@ import { useUserApi } from "~/composables/api";
 
 const store: Ref<MultiPurposeLabelOut[]> = ref([]);
 const loading = ref(false);
+const initialized = ref(false);
 
 export function resetLabelStore() {
   store.value = [];
   loading.value = false;
+  initialized.value = false;
 }
 
 export const useLabelData = function () {
@@ -22,5 +24,5 @@ export const useLabelData = function () {
 
 export const useLabelStore = function (i18n?: Composer) {
   const api = useUserApi(i18n);
-  return useStore<MultiPurposeLabelOut>("label", store, loading, api.multiPurposeLabels);
+  return useStore<MultiPurposeLabelOut>("label", store, loading, initialized, api.multiPurposeLabels);
 };

frontend/app/composables/store/use-tag-store.ts

@@ -5,12 +5,16 @@ import { usePublicExploreApi, useUserApi } from "~/composables/api";
 
 const store: Ref<RecipeTag[]> = ref([]);
 const loading = ref(false);
+const initialized = ref(false);
 const publicLoading = ref(false);
+const publicInitialized = ref(false);
 
 export function resetTagStore() {
   store.value = [];
   loading.value = false;
+  initialized.value = false;
   publicLoading.value = false;
+  publicInitialized.value = false;
 }
 
 export const useTagData = function () {
@@ -23,10 +27,10 @@ export const useTagData = function () {
 
 export const useTagStore = function (i18n?: Composer) {
   const api = useUserApi(i18n);
-  return useStore<RecipeTag>("tag", store, loading, api.tags);
+  return useStore<RecipeTag>("tag", store, loading, initialized, api.tags);
 };
 
 export const usePublicTagStore = function (groupSlug: string, i18n?: Composer) {
   const api = usePublicExploreApi(groupSlug, i18n).explore;
-  return useReadOnlyStore<RecipeTag>("tag", store, publicLoading, api.tags);
+  return useReadOnlyStore<RecipeTag>("tag", store, publicLoading, publicInitialized, api.tags);
 };

frontend/app/composables/store/use-tool-store.ts

@@ -9,12 +9,16 @@ interface RecipeToolWithOnHand extends RecipeTool {
 
 const store: Ref<RecipeTool[]> = ref([]);
 const loading = ref(false);
+const initialized = ref(false);
 const publicLoading = ref(false);
+const publicInitialized = ref(false);
 
 export function resetToolStore() {
   store.value = [];
   loading.value = false;
+  initialized.value = false;
   publicLoading.value = false;
+  publicInitialized.value = false;
 }
 
 export const useToolData = function () {
@@ -29,10 +33,10 @@ export const useToolData = function () {
 
 export const useToolStore = function (i18n?: Composer) {
   const api = useUserApi(i18n);
-  return useStore<RecipeTool>("tool", store, loading, api.tools);
+  return useStore<RecipeTool>("tool", store, loading, initialized, api.tools);
 };
 
 export const usePublicToolStore = function (groupSlug: string, i18n?: Composer) {
   const api = usePublicExploreApi(groupSlug, i18n).explore;
-  return useReadOnlyStore<RecipeTool>("tool", store, publicLoading, api.tools);
+  return useReadOnlyStore<RecipeTool>("tool", store, publicLoading, publicInitialized, api.tools);
 };

frontend/app/composables/store/use-unit-store.ts

@@ -5,10 +5,12 @@ import { useUserApi } from "~/composables/api";
 
 const store: Ref<IngredientUnit[]> = ref([]);
 const loading = ref(false);
+const initialized = ref(false);
 
 export function resetUnitStore() {
   store.value = [];
   loading.value = false;
+  initialized.value = false;
 }
 
 export const useUnitData = function () {
@@ -23,5 +25,5 @@ export const useUnitData = function () {
 
 export const useUnitStore = function (i18n?: Composer) {
   const api = useUserApi(i18n);
-  return useStore<IngredientUnit>("unit", store, loading, api.units);
+  return useStore<IngredientUnit>("unit", store, loading, initialized, api.units);
 };

frontend/app/composables/store/use-user-store.ts

@@ -6,10 +6,12 @@ import { BaseCRUDAPIReadOnly } from "~/lib/api/base/base-clients";
 
 const store: Ref<UserSummary[]> = ref([]);
 const loading = ref(false);
+const initialized = ref(false);
 
 export function resetUserStore() {
   store.value = [];
   loading.value = false;
+  initialized.value = false;
 }
 
 class GroupUserAPIReadOnly extends BaseCRUDAPIReadOnly<UserSummary> {
@@ -21,5 +23,5 @@ export const useUserStore = function (i18n?: Composer) {
   const requests = useRequests(i18n);
   const api = new GroupUserAPIReadOnly(requests);
 
-  return useReadOnlyStore<UserSummary>("user", store, loading, api, { orderBy: "full_name" });
+  return useReadOnlyStore<UserSummary>("user", store, loading, initialized, api, { orderBy: "full_name" });
 };

frontend/app/lang/messages/no-NO.json

@@ -98,7 +98,7 @@
     "dashboard": "Kontrollpanel",
     "delete": "Slett",
     "disabled": "Deaktivert",
-    "done": "Ferdig",
+    "done": "Done",
     "download": "Last ned",
     "duplicate": "Dupliser",
     "edit": "Rediger",
@@ -169,7 +169,7 @@
     "token": "Token",
     "tuesday": "Tirsdag",
     "type": "Type",
-    "undo": "Angre",
+    "undo": "Undo",
     "update": "Oppdater",
     "updated": "Oppdatert",
     "upload": "Last opp",
@@ -334,7 +334,7 @@
     "no-meal-plan-defined-yet": "Ingen måltidsplan er definert ennå",
     "no-meal-planned-for-today": "Ingen måltid planlagt i dag",
     "numberOfDaysPast-hint": "Number of days in the past on page load",
-    "numberOfDaysPast-label": "Standard antall dager tilbake",
+    "numberOfDaysPast-label": "Default Days in the Past",
     "numberOfDays-hint": "Antall dager på sideinnlasting",
     "numberOfDays-label": "Standard antall dager",
     "only-recipes-with-these-categories-will-be-used-in-meal-plans": "Kun oppskrifter med disse kategoriene vil bli brukt i måltidsplaner",
@@ -392,7 +392,7 @@
     "nextcloud": {
       "description": "Overfør data fra en Nextcloud Cookbook-instans",
       "description-long": "Oppskrifter fra Nextcloud kan importeres fra en zip-fil som inneholder dataene lagret i Nextcloud. Se eksempelet på mappestrukture nedenfor for å sikre at oppskriftene kan importeres.",
-      "title": "Nextcloud kokebok"
+      "title": "Nextcloud Cookbook"
     },
     "copymethat": {
       "description-long": "Mealie kan importere oppskrifter fra Copy Me That. Eksporter oppskrifter i HTML-format, last deretter opp .zip-filen under.",
@@ -917,7 +917,7 @@
     "quantity": "Antall: {0}",
     "shopping-list": "Handleliste",
     "shopping-lists": "Handlelister",
-    "add-item": "Legg til produkt",
+    "add-item": "Add item",
     "food": "Matvare",
     "note": "Notat",
     "label": "Etikett",
@@ -943,7 +943,7 @@
     "are-you-sure-you-want-to-uncheck-all-items": "Er du sikker på at du vil fjerne valg av alle elementer?",
     "are-you-sure-you-want-to-delete-checked-items": "Er du sikker på at du vil slette alle valgte elementer?",
     "no-shopping-lists-found": "Ingen handlelister funnet",
-    "item-checked-off": "Avkrysset av {item}"
+    "item-checked-off": "Checked off {item}"
   },
   "sidebar": {
     "all-recipes": "Alle oppskrifter",
@@ -1478,10 +1478,10 @@
     "max-length": "Må være minst minst {max} tegn må bestå av maks {max} tegn"
   },
   "announcements": {
-    "announcements": "Kunngjøringer",
-    "all-announcements": "Alle kunngjøringer",
-    "mark-all-as-read": "Marker alle som lest",
-    "show-announcements-from-mealie": "Vis kunngjøringer fra Mealie",
+    "announcements": "Announcements",
+    "all-announcements": "All announcements",
+    "mark-all-as-read": "Mark All as Read",
+    "show-announcements-from-mealie": "Show announcements from Mealie",
     "show-announcements-setting-description": "Whether or not you want to allow users to see announcements from Mealie. When enabled users can still opt-out from seeing them in their user settings"
   }
 }

frontend/app/lang/messages/pl-PL.json

@@ -51,7 +51,7 @@
     "category": "Kategoria"
   },
   "events": {
-    "apprise-url": "URL Apprise",
+    "apprise-url": "Apprise URL",
     "database": "Baza danych",
     "delete-event": "Usuń wydarzenie",
     "event-delete-confirmation": "Czy na pewno chcesz usunąć to zdarzenie?",
@@ -98,7 +98,7 @@
     "dashboard": "Panel główny",
     "delete": "Usuń",
     "disabled": "Wyłączone",
-    "done": "Gotowe",
+    "done": "Done",
     "download": "Pobierz",
     "duplicate": "Duplikuj",
     "edit": "Edytuj",
@@ -169,7 +169,7 @@
     "token": "Token",
     "tuesday": "Wtorek",
     "type": "Typ",
-    "undo": "Cofnij",
+    "undo": "Undo",
     "update": "Zaktualizuj",
     "updated": "Zaktualizowano",
     "upload": "Prześlij",
@@ -917,7 +917,7 @@
     "quantity": "Ilość: {0}",
     "shopping-list": "Lista zakupów",
     "shopping-lists": "Listy zakupów",
-    "add-item": "Dodaj element",
+    "add-item": "Add item",
     "food": "Jedzenie",
     "note": "Notatka",
     "label": "Etykieta",
@@ -943,7 +943,7 @@
     "are-you-sure-you-want-to-uncheck-all-items": "Czy na pewno chcesz odznaczyć wszystkie elementy?",
     "are-you-sure-you-want-to-delete-checked-items": "Czy jesteś pewien, że chcesz usunąć wszystkie zaznaczone elementy?",
     "no-shopping-lists-found": "Nie znaleziono list zakupów",
-    "item-checked-off": "Zaznaczono {item}"
+    "item-checked-off": "Checked off {item}"
   },
   "sidebar": {
     "all-recipes": "Wszystkie",
@@ -1478,10 +1478,10 @@
     "max-length": "Może zawierać co najwyżej {max} znak|Może zawierać co najwyżej {max} znaki|Może zawierać co najwyżej {max} znaków"
   },
   "announcements": {
-    "announcements": "Ogłoszenia",
-    "all-announcements": "Wszystkie ogłoszenia",
-    "mark-all-as-read": "Oznacz wszystkie jako przeczytane",
-    "show-announcements-from-mealie": "Pokazuj ogłoszenia z Mealie",
-    "show-announcements-setting-description": "Czy chcesz by użytkownicy widzieli ogłoszenia z Mealie? Użytkownicy będą w dalszym ciągu mogli wyłączyć ogłoszenia w swoich ustawieniach użytkownika"
+    "announcements": "Announcements",
+    "all-announcements": "All announcements",
+    "mark-all-as-read": "Mark All as Read",
+    "show-announcements-from-mealie": "Show announcements from Mealie",
+    "show-announcements-setting-description": "Whether or not you want to allow users to see announcements from Mealie. When enabled users can still opt-out from seeing them in their user settings"
   }
 }

frontend/app/lang/messages/sl-SI.json

@@ -943,7 +943,7 @@
     "are-you-sure-you-want-to-uncheck-all-items": "Ali res ne želite izbrati vseh elementov?",
     "are-you-sure-you-want-to-delete-checked-items": "Ali ste prepričani, da želite izbrisati vse izbrane elemente?",
     "no-shopping-lists-found": "Ni nakupovalnih seznamov",
-    "item-checked-off": "Odkljukano {item}"
+    "item-checked-off": "Checked off {item}"
   },
   "sidebar": {
     "all-recipes": "Vsi recepti",

frontend/app/lang/messages/uk-UA.json

@@ -911,7 +911,7 @@
     "all-lists": "Всі списки",
     "create-shopping-list": "Сторити список покупок",
     "from-recipe": "З рецепту",
-    "ingredient-of-recipe": "Інгредієнт з {recipe}",
+    "ingredient-of-recipe": "Ingredient of {recipe}",
     "list-name": "Назва списку",
     "new-list": "Новий список",
     "quantity": "Кількість: {0}",

mealie/core/security/providers/openid_provider.py

@@ -35,7 +35,7 @@ class OpenIDProvider(AuthProvider[UserInfo]):
             self._logger.debug("[OIDC]   %s: %s", key, value)
 
         if not self.required_claims.issubset(claims.keys()):
-            self._logger.error(
+            self._logger.debug(
                 "[OIDC] Required claims not present. Expected: %s Actual: %s",
                 self.required_claims,
                 claims.keys(),
@@ -45,7 +45,7 @@ class OpenIDProvider(AuthProvider[UserInfo]):
         # Check for empty required claims
         for claim in self.required_claims:
             if not claims.get(claim):
-                self._logger.error("[OIDC] Required claim '%s' is empty", claim)
+                self._logger.debug("[OIDC] Required claim '%s' is empty", claim)
                 raise MissingClaimException()
 
         repos = get_repositories(self.session, group_id=None, household_id=None)

mealie/repos/seed/resources/foods/locales/no-NO.json

@@ -571,8 +571,8 @@
             "delicata squash": {
                 "aliases": [],
                 "description": "",
-                "name": "delikat squash",
-                "plural_name": "delikate squasher"
+                "name": "delicata squash",
+                "plural_name": "delicata squashes"
             },
             "Frisée": {
                 "aliases": [
@@ -980,7 +980,7 @@
                 "aliases": [],
                 "description": "",
                 "name": "kastanjepuré",
-                "plural_name": "kastanjepuré"
+                "plural_name": "chestnut purée"
             },
             "prickly pear": {
                 "aliases": [],
@@ -1045,7 +1045,7 @@
             "sweet lime": {
                 "aliases": [],
                 "description": "",
-                "name": "søt lime",
+                "name": "sweet lime",
                 "plural_name": "sweet limes"
             },
             "custard-apple": {
@@ -1873,8 +1873,8 @@
             "melon seed": {
                 "aliases": [],
                 "description": "",
-                "name": "melonfrø",
-                "plural_name": "melonfrø"
+                "name": "melon seed",
+                "plural_name": "melon seeds"
             },
             "lotus seed": {
                 "aliases": [],
@@ -2003,48 +2003,48 @@
             "parmesan cheese": {
                 "aliases": [],
                 "description": "",
-                "name": "parmesanost",
-                "plural_name": "parmesanost"
+                "name": "parmesan cheese",
+                "plural_name": "parmesan cheese"
             },
             "cheddar cheese": {
                 "aliases": [
-                    "cheddarost"
+                    "cheddar cheese"
                 ],
                 "description": "",
-                "name": "cheddarost",
-                "plural_name": "cheddarost"
+                "name": "cheddar cheese",
+                "plural_name": "cheddar cheese"
             },
             "cream cheese": {
                 "aliases": [],
                 "description": "",
-                "name": "kremost",
-                "plural_name": "kremost"
+                "name": "cream cheese",
+                "plural_name": "cream cheese"
             },
             "sharp cheddar cheese": {
                 "aliases": [
-                    "skarp cheddarost"
+                    "sharp cheddar"
                 ],
                 "description": "",
-                "name": "skarp cheddarost",
-                "plural_name": "skarp cheddarost"
+                "name": "sharp cheddar cheese",
+                "plural_name": "sharp cheddar cheese"
             },
             "cheese": {
                 "aliases": [],
                 "description": "",
-                "name": "ost",
-                "plural_name": "ost"
+                "name": "cheese",
+                "plural_name": "cheese"
             },
             "mozzarella cheese": {
                 "aliases": [],
                 "description": "",
-                "name": "mozzarellaost",
-                "plural_name": "mozzarellaost"
+                "name": "mozzarella cheese",
+                "plural_name": "mozzarella cheese"
             },
             "feta cheese": {
                 "aliases": [],
                 "description": "",
-                "name": "fetaost",
-                "plural_name": "fetaost"
+                "name": "feta cheese",
+                "plural_name": "feta cheese"
             },
             "ricotta cheese": {
                 "aliases": [],
@@ -2073,14 +2073,14 @@
             "goat cheese": {
                 "aliases": [],
                 "description": "",
-                "name": "geitost",
-                "plural_name": "geitost"
+                "name": "goat cheese",
+                "plural_name": "goat cheese"
             },
             "fresh mozzarella cheese": {
                 "aliases": [],
                 "description": "",
-                "name": "fersk mozzarellaost",
-                "plural_name": "fersk mozzarellaost"
+                "name": "fresh mozzarella cheese",
+                "plural_name": "fresh mozzarella cheese"
             },
             "swis cheese": {
                 "aliases": [],

mealie/repos/seed/resources/foods/locales/pl-PL.json

@@ -919,7 +919,7 @@
             "jackfruit": {
                 "aliases": [],
                 "description": "",
-                "name": "owoc chlebowca",
+                "name": "jackfruit",
                 "plural_name": "jackfruity"
             },
             "dragon fruit": {

mealie/routes/auth/auth.py

@@ -134,6 +134,7 @@ async def oauth_callback(request: Request, session: Session = Depends(generate_s
             auth_provider = OpenIDProvider(session, userinfo, use_default_groups=True)
             auth = auth_provider.authenticate()
         except MissingClaimException:
+            logger.error("[OIDC] Required claims not present in ID token or userinfo endpoint")
             auth = None
 
     if not auth:

mealie/routes/media/media_recipe.py

@@ -58,6 +58,6 @@ async def get_recipe_asset(recipe_id: UUID4, file_name: str):
         raise HTTPException(status.HTTP_400_BAD_REQUEST)
 
     if file.exists():
-        return FileResponse(file)
+        return FileResponse(file, filename=file.name, content_disposition_type="attachment")
     else:
         raise HTTPException(status.HTTP_404_NOT_FOUND)

mealie/routes/recipe/recipe_crud_routes.py

@@ -80,6 +80,8 @@ from mealie.services.scraper.scraper_strategies import (
 
 from ._base import BaseRecipeController, JSONBytes
 
+ASSET_ALLOWED_EXTENSIONS = {"pdf", "jpg", "jpeg", "png", "gif", "webp", "bmp", "avif", "txt", "md", "csv", "json"}
+
 router = UserAPIRouter(prefix="/recipes", route_class=MealieCrudRoute)
 
 
@@ -660,6 +662,10 @@ class RecipeController(BaseRecipeController):
         if "." in extension:
             extension = extension.split(".")[-1]
 
+        extension = extension.lower()
+        if extension not in ASSET_ALLOWED_EXTENSIONS:
+            raise HTTPException(status_code=400, detail="Unsupported file extension")
+
         file_slug = slugify(name)
         if not extension or not file_slug:
             raise HTTPException(status_code=400, detail="Missing required fields")

mealie/routes/recipe/timeline_events.py

@@ -15,6 +15,7 @@ from mealie.schema.recipe.recipe_timeline_events import (
     RecipeTimelineEventPagination,
     RecipeTimelineEventUpdate,
     TimelineEventImage,
+    TimelineEventType,
 )
 from mealie.schema.recipe.request_helpers import UpdateImageResponse
 from mealie.schema.response.pagination import PaginationQuery
@@ -50,6 +51,10 @@ class RecipeTimelineEventsController(BaseCrudController):
             override=RecipeTimelineEventOut,
         )
 
+        for event in response.items:
+            if event.event_type == TimelineEventType.system.value:
+                event.subject = self.t(event.subject)
+
         response.set_pagination_guides(router.url_path_for("get_all"), q.model_dump())
         return response
 
@@ -83,7 +88,10 @@ class RecipeTimelineEventsController(BaseCrudController):
 
     @router.get("/{item_id}", response_model=RecipeTimelineEventOut)
     def get_one(self, item_id: UUID4):
-        return self.mixins.get_one(item_id)
+        event = self.mixins.get_one(item_id)
+        if event.event_type == TimelineEventType.system.value:
+            event.subject = self.t(event.subject)
+        return event
 
     @router.put("/{item_id}", response_model=RecipeTimelineEventOut)
     def update_one(self, item_id: UUID4, data: RecipeTimelineEventUpdate):

mealie/services/recipe/recipe_service.py

@@ -38,6 +38,8 @@ from mealie.services.scraper import cleaner
 
 from .template_service import TemplateService
 
+RECIPE_CREATED_EVENT_SUBJECT = "recipe.recipe-created"
+
 
 class RecipeServiceBase(BaseService):
     def __init__(self, repos: AllRepositories, user: PrivateUser, household: HouseholdInDB, translator: Translator):
@@ -69,8 +71,19 @@ class RecipeService(RecipeServiceBase):
     def can_delete(self, recipe_slugs: list[str]) -> bool:
         if self.user.admin:
             return True
-        else:
-            return self.can_update(recipe_slugs)
+
+        # Deletion requires ownership; collaborative editing rules (can_update) do not apply
+        model = self.group_recipes.model
+        owned_count = self.group_recipes.session.scalar(
+            sa.select(sa.func.count())
+            .select_from(model)
+            .where(
+                model.slug.in_(recipe_slugs),
+                model.group_id == self.user.group_id,
+                model.user_id == self.user.id,
+            )
+        )
+        return owned_count == len(recipe_slugs)
 
     def can_update(self, recipe_slugs: list[str]) -> bool:
         sql = dedent(
@@ -224,7 +237,7 @@ class RecipeService(RecipeServiceBase):
         timeline_event_data = RecipeTimelineEventCreate(
             user_id=new_recipe.user_id,
             recipe_id=new_recipe.id,
-            subject=self.t("recipe.recipe-created"),
+            subject=RECIPE_CREATED_EVENT_SUBJECT,
             event_type=TimelineEventType.system,
             timestamp=new_recipe.created_at or datetime.now(UTC),
         )

tests/integration_tests/user_recipe_tests/test_recipe_cross_household.py

@@ -201,19 +201,12 @@ def test_delete_recipes_from_other_households(
     assert recipe_json["id"] == h2_recipe_id
 
     response = api_client.delete(api_routes.recipes_slug(recipe_json["slug"]), headers=unique_user.token)
-    if household_lock_recipe_edits:
-        assert response.status_code == 403
+    assert response.status_code == 403
 
-        # confirm the recipe still exists
-        response = api_client.get(api_routes.recipes_slug(h2_recipe_id), headers=unique_user.token)
-        assert response.status_code == 200
-        assert response.json()["id"] == h2_recipe_id
-    else:
-        assert response.status_code == 200
-
-        # confirm the recipe was deleted
-        response = api_client.get(api_routes.recipes_slug(h2_recipe_id), headers=unique_user.token)
-        assert response.status_code == 404
+    # confirm the recipe still exists
+    response = api_client.get(api_routes.recipes_slug(h2_recipe_id), headers=unique_user.token)
+    assert response.status_code == 200
+    assert response.json()["id"] == h2_recipe_id
 
 
 @pytest.mark.parametrize("is_private_household", [True, False])

tests/integration_tests/user_recipe_tests/test_recipe_image_assets.py

@@ -87,6 +87,23 @@ def test_recipe_asset_exploit(api_client: TestClient, unique_user: TestUser, rec
     assert not (recipe.asset_dir / "test.txt").exists()
 
 
+def test_recipe_asset_dangerous_extension_blocked(
+    api_client: TestClient, unique_user: TestUser, recipe_ingredient_only: Recipe
+):
+    """Ensure scriptable extensions are rejected to prevent stored XSS (GHSA-gfwc-pjx4-mg9p)."""
+    recipe = recipe_ingredient_only
+    for ext in ("html", "svg", "js", "htm", "xhtml"):
+        payload = {"name": random_string(10), "icon": "mdi-file", "extension": ext}
+        file_payload = {"file": b"<script>alert(1)</script>"}
+        response = api_client.post(
+            f"/api/recipes/{recipe.slug}/assets",
+            data=payload,
+            files=file_payload,
+            headers=unique_user.token,
+        )
+        assert response.status_code == 400, f"expected 400 for extension={ext}, got {response.status_code}"
+
+
 def test_recipe_image_upload(api_client: TestClient, unique_user: TestUser, recipe_ingredient_only: Recipe):
     data_payload = {"extension": "jpg"}
     file_payload = {"image": data.images_test_image_1.read_bytes()}

tests/integration_tests/user_recipe_tests/test_recipe_owner.py

@@ -160,6 +160,24 @@ def test_other_user_cant_delete_recipe(api_client: TestClient, user_tuple: list[
     assert response.status_code == 403
 
 
+def test_other_user_cant_delete_unlocked_recipe(api_client: TestClient, user_tuple: list[TestUser]):
+    """Non-owner must not delete an unlocked recipe — BOLA regression (GHSA-x5v9-9jvh-7c7q)."""
+    slug = random_string(10)
+    unique_user, other_user = user_tuple
+
+    unique_user.repos.recipes.create(
+        Recipe(
+            user_id=unique_user.user_id,
+            group_id=unique_user.group_id,
+            name=slug,
+            settings=RecipeSettings(locked=False),
+        )
+    )
+
+    response = api_client.delete(api_routes.recipes_slug(slug), headers=other_user.token)
+    assert response.status_code == 403
+
+
 def test_other_user_bulk_delete(api_client: TestClient, user_tuple: list[TestUser]):
     slug_locked = random_string(10)
     slug_unlocked = random_string(10)
@@ -190,6 +208,30 @@ def test_other_user_bulk_delete(api_client: TestClient, user_tuple: list[TestUse
     assert response.status_code == 403
 
 
+def test_other_user_cant_bulk_delete_unlocked_recipes(api_client: TestClient, user_tuple: list[TestUser]):
+    """Non-owner must not bulk-delete unlocked recipes — BOLA regression (GHSA-x5v9-9jvh-7c7q)."""
+    slug_1 = random_string(10)
+    slug_2 = random_string(10)
+    unique_user, other_user = user_tuple
+
+    for slug in (slug_1, slug_2):
+        unique_user.repos.recipes.create(
+            Recipe(
+                user_id=unique_user.user_id,
+                group_id=unique_user.group_id,
+                name=slug,
+                settings=RecipeSettings(locked=False),
+            )
+        )
+
+    response = api_client.post(
+        api_routes.recipes_bulk_actions_delete,
+        json={"recipes": [slug_1, slug_2]},
+        headers=other_user.token,
+    )
+    assert response.status_code == 403
+
+
 def test_admin_can_delete_locked_recipe_owned_by_another_user(
     api_client: TestClient, unfiltered_database: AllRepositories, unique_user: TestUser, admin_user: TestUser
 ):

tests/integration_tests/user_recipe_tests/test_recipe_timeline_events.py

@@ -3,18 +3,24 @@ from uuid import uuid4
 import pytest
 from fastapi.testclient import TestClient
 
+from mealie.lang.providers import get_all_translations
 from mealie.schema.recipe.recipe import Recipe
 from mealie.schema.recipe.recipe_timeline_events import (
     RecipeTimelineEventOut,
     RecipeTimelineEventPagination,
     TimelineEventImage,
+    TimelineEventType,
 )
 from mealie.schema.recipe.request_helpers import UpdateImageResponse
+from mealie.services.recipe.recipe_service import RECIPE_CREATED_EVENT_SUBJECT
 from tests.utils import api_routes
 from tests.utils.factories import random_string
 from tests.utils.fixture_schemas import TestUser
 
 
+PERSISTED_TRANSLATION_KEYS = [RECIPE_CREATED_EVENT_SUBJECT]
+
+
 @pytest.fixture(scope="function")
 def recipes(api_client: TestClient, unique_user: TestUser):
     recipes = []
@@ -341,6 +347,50 @@ def test_create_recipe_with_timeline_event(
         assert events_pagination.items
 
 
+@pytest.mark.parametrize("translation_key", PERSISTED_TRANSLATION_KEYS)
+def test_persisted_translation_keys_have_translations(translation_key: str):
+    translations = get_all_translations(translation_key)
+    missing_translations = [locale for locale, translation in translations.items() if translation == translation_key]
+
+    assert missing_translations == []
+
+
+def test_recipe_created_system_event_is_translated(
+    api_client: TestClient,
+    unique_user: TestUser,
+    recipes: list[Recipe],
+):
+    recipe = recipes[0]
+    params = {"queryFilter": f"recipe_id={recipe.id}"}
+
+    # fetch events in French — the system "recipe created" event should be translated
+    fr_headers = {**unique_user.token, "Accept-Language": "fr-FR"}
+    events_response = api_client.get(api_routes.recipes_timeline_events, params=params, headers=fr_headers)
+    assert events_response.status_code == 200
+    events_pagination = RecipeTimelineEventPagination.model_validate(events_response.json())
+
+    system_events = [e for e in events_pagination.items if e.event_type == TimelineEventType.system.value]
+    assert system_events, "expected at least one system event for a newly created recipe"
+
+    for event in system_events:
+        assert event.subject == "Recette créée", f"expected French translation, got: {event.subject!r}"
+
+        # also verify the individual GET endpoint translates correctly
+        single_response = api_client.get(api_routes.recipes_timeline_events_item_id(event.id), headers=fr_headers)
+        assert single_response.status_code == 200
+        single_event = RecipeTimelineEventOut.model_validate(single_response.json())
+        assert single_event.subject == "Recette créée"
+
+    # fetch the same events in English — subject should be the English string
+    en_headers = {**unique_user.token, "Accept-Language": "en-US"}
+    events_response = api_client.get(api_routes.recipes_timeline_events, params=params, headers=en_headers)
+    events_pagination = RecipeTimelineEventPagination.model_validate(events_response.json())
+
+    system_events = [e for e in events_pagination.items if e.event_type == TimelineEventType.system.value]
+    for event in system_events:
+        assert event.subject == "Recipe Created", f"expected English string, got: {event.subject!r}"
+
+
 @pytest.mark.parametrize("use_other_household_user", [True, False])
 def test_invalid_recipe_id(
     api_client: TestClient, unique_user: TestUser, h2_user: TestUser, use_other_household_user: bool