chore(release): 8.1.3 [skip ci]

## [8.1.3](https://github.com/mediacms-io/mediacms/compare/v8.1.2...v8.1.3) (2026-05-19)

### Bug Fixes

* django connection settings ([#1529](https://github.com/mediacms-io/mediacms/issues/1529)) ([e89c4a3](https://github.com/mediacms-io/mediacms/commit/e89c4a3c8523574b5852a434ed67e281b6290584))
* prestart.sh loaddata re-runs on every container restart ([#1502](https://github.com/mediacms-io/mediacms/issues/1502)) ([777b06b](https://github.com/mediacms-io/mediacms/commit/777b06bbebf141e5b1cb27e17533fe65d57eb6cd))

CHANGELOG.md

@@ -1,5 +1,30 @@
 # Changelog
 
+## [8.1.3](https://github.com/mediacms-io/mediacms/compare/v8.1.2...v8.1.3) (2026-05-19)
+
+### Bug Fixes
+
+* django connection settings ([#1529](https://github.com/mediacms-io/mediacms/issues/1529)) ([e89c4a3](https://github.com/mediacms-io/mediacms/commit/e89c4a3c8523574b5852a434ed67e281b6290584))
+* prestart.sh loaddata re-runs on every container restart ([#1502](https://github.com/mediacms-io/mediacms/issues/1502)) ([777b06b](https://github.com/mediacms-io/mediacms/commit/777b06bbebf141e5b1cb27e17533fe65d57eb6cd))
+
+## [8.1.2](https://github.com/mediacms-io/mediacms/compare/v8.1.1...v8.1.2) (2026-05-18)
+
+### Bug Fixes
+
+* remove redundant check ([#1528](https://github.com/mediacms-io/mediacms/issues/1528)) ([c7a673b](https://github.com/mediacms-io/mediacms/commit/c7a673bbbf46efc37621dc4a5109a85fc10e1317))
+
+## [8.1.1](https://github.com/mediacms-io/mediacms/compare/v8.1.0...v8.1.1) (2026-05-18)
+
+### Bug Fixes
+
+* x-accell headers on uploaded poster ([#1526](https://github.com/mediacms-io/mediacms/issues/1526)) ([ae63a5a](https://github.com/mediacms-io/mediacms/commit/ae63a5af647c8865b96e6e50dda1ea9d29b5bd0b))
+
+## [8.1.0](https://github.com/mediacms-io/mediacms/compare/v8.0.8...v8.1.0) (2026-05-17)
+
+### Features
+
+* introduce x-accell headers ([9302559](https://github.com/mediacms-io/mediacms/commit/9302559d4bb3e4d0adb299ed37438b04c39e1864))
+
 ## [8.0.8](https://github.com/mediacms-io/mediacms/compare/v8.0.7...v8.0.8) (2026-05-13)
 
 ### Bug Fixes

cms/celery.py

@@ -3,7 +3,9 @@ from __future__ import absolute_import
 import os
 
 from celery import Celery
+from celery.signals import worker_process_init
 from django.conf import settings
+from django.db import connections
 
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "cms.settings")
 app = Celery("cms")
@@ -20,3 +22,13 @@ app.conf.task_always_eager = settings.CELERY_TASK_ALWAYS_EAGER
 
 
 app.conf.worker_prefetch_multiplier = 1
+
+
+@worker_process_init.connect
+def close_db_pool_on_fork(**_):
+    # psycopg3's ConnectionPool is not fork-safe: children inherit dead sockets
+    # from the parent's pool and block on getconn() until PoolTimeout. Dispose
+    # the inherited pool here so each prefork child opens its own on first use.
+    # NB: plain conn.close() would only putconn() back into the broken pool.
+    for conn in connections.all():
+        conn.close_pool()

cms/settings.py

@@ -202,6 +202,15 @@ THUMBNAIL_UPLOAD_DIR = f"{MEDIA_UPLOAD_DIR}/thumbnails/"
 SUBTITLES_UPLOAD_DIR = f"{MEDIA_UPLOAD_DIR}/subtitles/"
 HLS_DIR = os.path.join(MEDIA_ROOT, "hls/")
 
+# Protect media files via nginx auth_request
+# When True, nginx delegates authorization for /media/<protected>/... to a
+# Django endpoint that checks the Media's state and the user's access.
+USE_X_ACCEL_REDIRECT = True
+# Subdirectories of MEDIA_ROOT that should be gated. "chunks" is intentionally
+# omitted (upload state, not playback).
+X_ACCEL_PROTECTED_PATHS = ["encoded", "hls", "original"]
+X_ACCEL_AUTH_CACHE_SECONDS = 300
+
 FFMPEG_COMMAND = "ffmpeg"  # this is the path
 FFPROBE_COMMAND = "ffprobe"  # this is the path
 MP4HLS = "mp4hls"
@@ -398,7 +407,25 @@ LOGGING = {
     },
 }
 
-DATABASES = {"default": {"ENGINE": "django.db.backends.postgresql", "NAME": "mediacms", "HOST": "127.0.0.1", "PORT": "5432", "USER": "mediacms", "PASSWORD": "mediacms", "OPTIONS": {'pool': True}}}
+DATABASES = {
+    "default": {
+        "ENGINE": "django.db.backends.postgresql",
+        "NAME": "mediacms",
+        "HOST": "127.0.0.1",
+        "PORT": "5432",
+        "USER": "mediacms",
+        "PASSWORD": "mediacms",
+        "OPTIONS": {
+            "pool": {
+                "min_size": 2,
+                "max_size": 8,
+                "timeout": 10,
+                "max_lifetime": 30 * 60,
+                "max_idle": 10 * 60,
+            }
+        },
+    }
+}
 
 
 REDIS_LOCATION = "redis://127.0.0.1:6379/1"

cms/version.py

@@ -1 +1 @@
-VERSION = "8.0.7"
+VERSION = "8.1.2"

deploy/docker/local_settings.py

@@ -12,7 +12,15 @@ DATABASES = {
         "PORT": os.getenv('POSTGRES_PORT', '5432'),
         "USER": os.getenv('POSTGRES_USER', 'mediacms'),
         "PASSWORD": os.getenv('POSTGRES_PASSWORD', 'mediacms'),
-        "OPTIONS": {'pool': True},
+        "OPTIONS": {
+            "pool": {
+                "min_size": 2,
+                "max_size": 8,
+                "timeout": 10,
+                "max_lifetime": 30 * 60,
+                "max_idle": 10 * 60,
+            }
+        },
     }
 }
 

deploy/docker/nginx_http_only.conf

@@ -15,9 +15,27 @@ server {
     location /static {
         alias /home/mediacms.io/mediacms/static ;
     }
+    location = /_media_auth {
+        internal;
+        proxy_pass http://127.0.0.1:9000/api/v1/media-auth;
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+        proxy_set_header Host $host;
+        proxy_set_header X-Original-URI $request_uri;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $forwarded_proto;
+        proxy_set_header Cookie $http_cookie;
+    }
 
-    location /media/original {
+    location ~ ^/media/(encoded|hls|original)/(.*)$ {
-        alias /home/mediacms.io/mediacms/media_files/original;
+        auth_request /_media_auth;
+        alias /home/mediacms.io/mediacms/media_files/$1/$2;
+
+        add_header 'Access-Control-Allow-Origin' '*';
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
     }
 
     location /media {

deploy/docker/prestart.sh

@@ -6,7 +6,7 @@ ADMIN_PASSWORD=${ADMIN_PASSWORD:-$RANDOM_ADMIN_PASS}
 if [ X"$ENABLE_MIGRATIONS" = X"yes" ]; then
     echo "Running migrations service"
     python manage.py migrate
-    EXISTING_INSTALLATION=`echo "from users.models import User; print(User.objects.exists())" |python manage.py shell`
+    EXISTING_INSTALLATION=`echo "from users.models import User; print(User.objects.exists())" |python manage.py shell 2>/dev/null | tail -1`
     if [ "$EXISTING_INSTALLATION" = "True" ]; then
         echo "Loaddata has already run"
     else

files/models/media.py

@@ -10,7 +10,7 @@ from django.conf import settings
 from django.contrib.postgres.indexes import GinIndex
 from django.contrib.postgres.search import SearchVectorField
 from django.core.files import File
-from django.db import models
+from django.db import models, transaction
 from django.db.models import Func, Value
 from django.db.models.signals import m2m_changed, post_delete, post_save, pre_delete
 from django.dispatch import receiver
@@ -536,7 +536,9 @@ class Media(models.Model):
 
         from .. import tasks
 
-        tasks.produce_sprite_from_video.delay(self.friendly_token)
+        # Defer until the surrounding transaction commits so the worker can
+        # actually find the Media row. Runs immediately if not in a tx.
+        transaction.on_commit(lambda token=self.friendly_token: tasks.produce_sprite_from_video.delay(token))
         return True
 
     def encode(self, profiles=[], force=True, chunkize=True):

files/urls.py

@@ -106,6 +106,7 @@ urlpatterns = [
     re_path(r"^api/v1/tasks$", views.TasksList.as_view()),
     re_path(r"^api/v1/tasks/$", views.TasksList.as_view()),
     re_path(r"^api/v1/tasks/(?P<friendly_token>[\w|\W]*)$", views.TaskDetail.as_view()),
+    re_path(r"^api/v1/media-auth$", views.media_auth, name="media_auth"),
     re_path(r"^manage/comments$", views.manage_comments, name="manage_comments"),
     re_path(r"^manage/media$", views.manage_media, name="manage_media"),
     re_path(r"^manage/users$", views.manage_users, name="manage_users"),

files/views/__init__.py

@@ -10,6 +10,7 @@ from .media import MediaDetail  # noqa: F401
 from .media import MediaList  # noqa: F401
 from .media import MediaSearch  # noqa: F401
 from .media import media_share  # noqa: F401
+from .media_auth import media_auth  # noqa: F401
 from .pages import about  # noqa: F401
 from .pages import add_subtitle  # noqa: F401
 from .pages import approval_required  # noqa: F401

files/views/media.py

@@ -660,7 +660,9 @@ class MediaBulkUserActions(APIView):
 
             # Prioritize category_uids
             if category_uids:
-                categories = Category.objects.filter(uid__in=category_uids)
+                requested = Category.objects.filter(uid__in=category_uids)
+                allowed_ids = [cat.id for cat in requested if not cat.is_rbac_category or request.user.has_contributor_access_to_category(cat)]
+                categories = Category.objects.filter(id__in=allowed_ids)
             elif lti_context_id:
                 # Filter categories by lti_context_id and ensure they ARE RBAC categories
                 potential_categories = Category.objects.filter(lti_context_id=lti_context_id, is_rbac_category=True)
@@ -691,9 +693,11 @@ class MediaBulkUserActions(APIView):
             if not category_uids:
                 return Response({"detail": "category_uids is required for remove_from_category action"}, status=status.HTTP_400_BAD_REQUEST)
 
-            categories = Category.objects.filter(uid__in=category_uids)
+            requested = Category.objects.filter(uid__in=category_uids)
+            allowed_ids = [cat.id for cat in requested if not cat.is_rbac_category or request.user.has_contributor_access_to_category(cat)]
+            categories = Category.objects.filter(id__in=allowed_ids)
             if not categories:
-                return Response({"detail": "No matching categories found"}, status=status.HTTP_400_BAD_REQUEST)
+                return Response({"detail": "No matching categories found or access denied"}, status=status.HTTP_400_BAD_REQUEST)
 
             removed_count = 0
             for category in categories:

files/views/media_auth.py

@@ -0,0 +1,125 @@
+import re
+from urllib.parse import unquote
+
+from django.conf import settings
+from django.core.cache import cache
+from django.db.models import Q
+from django.http import HttpResponse
+from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.http import require_GET
+
+from ..methods import is_mediacms_editor
+from ..models import Media
+
+UID_RE = re.compile(r"[0-9a-f]{32}")
+THUMBNAILS_PREFIX = "original/thumbnails/"
+
+
+def _ttl():
+    return getattr(settings, "X_ACCEL_AUTH_CACHE_SECONDS", 300)
+
+
+def _extract_uid(uri):
+    if not uri:
+        return None
+    match = UID_RE.search(uri)
+    return match.group(0) if match else None
+
+
+def _relpath_from_uri(uri):
+    path = unquote(uri.split("?", 1)[0])
+    media_url = settings.MEDIA_URL
+    if path.startswith(media_url):
+        return path[len(media_url) :]
+    return None
+
+
+def _lookup_uid_by_path(relpath):
+    path_key = f"xaccel:path:{relpath}"
+    cached = cache.get(path_key)
+    if cached is not None:
+        return cached or None
+
+    parts = relpath.split("/", 4)
+    if len(parts) < 5 or parts[2] != "user":
+        cache.set(path_key, "", _ttl())
+        return None
+    username = parts[3]
+
+    row = Media.objects.filter(user__username=username).filter(Q(uploaded_thumbnail=relpath) | Q(uploaded_poster=relpath)).values("uid").first()
+    uid_hex = row["uid"].hex if row else ""
+    cache.set(path_key, uid_hex, _ttl())
+    return uid_hex or None
+
+
+def _lookup_state(uid):
+    """Return (state, owner_id) for a uid, or (None, None) if missing.
+
+    Cached on uid alone since state/ownership do not depend on the requester.
+    Uses .values() rather than .only() because Media.__init__ touches deferred
+    file fields, which would otherwise recurse via refresh_from_db.
+    """
+    state_key = f"xaccel:state:{uid}"
+    cached = cache.get(state_key)
+    if cached is not None:
+        return cached
+    row = Media.objects.filter(uid=uid).values("state", "user_id").first()
+    value = (row["state"], row["user_id"]) if row else (None, None)
+    cache.set(state_key, value, _ttl())
+    return value
+
+
+def _decide(uid, user):
+    state, owner_id = _lookup_state(uid)
+    if state is None:
+        return False
+    if state in ("public", "unlisted"):
+        return True
+    # private
+    if not user.is_authenticated:
+        return False
+    if owner_id == user.id:
+        return True
+    if is_mediacms_editor(user):
+        return True
+    # RBAC / MediaPermission path needs a full Media instance.
+    try:
+        media = Media.objects.get(uid=uid)
+    except Media.DoesNotExist:
+        return False
+    return user.has_member_access_to_media(media)
+
+
+@csrf_exempt
+@require_GET
+def media_auth(request):
+    """Authorize a protected media request from nginx auth_request.
+
+    nginx passes the original request URI in the X-Original-URI header. The
+    Media.uid (32 hex chars, no dashes) is embedded somewhere in that URI for
+    every protected path. No uid => deny. Unknown uid => deny.
+    """
+    if not getattr(settings, "USE_X_ACCEL_REDIRECT", True):
+        return HttpResponse(status=204)
+
+    uri = request.META.get("HTTP_X_ORIGINAL_URI", "")
+    uid = _extract_uid(uri)
+    if not uid:
+        # User-uploaded thumbnails/posters don't have the uid in the filename.
+        # Fall back to a per-path lookup, scoped to /original/thumbnails/.
+        relpath = _relpath_from_uri(uri)
+        if relpath and relpath.startswith(THUMBNAILS_PREFIX):
+            uid = _lookup_uid_by_path(relpath)
+        if not uid:
+            return HttpResponse(status=403)
+
+    user = request.user
+    cache_key = f"xaccel:auth:{uid}:{user.id if user.is_authenticated else 'anon'}"
+    cached = cache.get(cache_key)
+    if cached is None:
+        allowed = _decide(uid, user)
+        cache.set(cache_key, allowed, _ttl())
+    else:
+        allowed = cached
+
+    return HttpResponse(status=204 if allowed else 403)

lti/apps.py

@@ -1,16 +1,7 @@
 from django.apps import AppConfig
 
-from .keys import ensure_keys_exist
-
 
 class LtiConfig(AppConfig):
     default_auto_field = 'django.db.models.BigAutoField'
     name = 'lti'
     verbose_name = 'LTI 1.3 Integration'
-
-    def ready(self):
-        """Initialize LTI app - ensure keys exist"""
-        try:
-            ensure_keys_exist()
-        except Exception:
-            pass

lti/keys.py

@@ -21,10 +21,3 @@ def get_jwks():
     """
     public_key = load_public_key()
     return {'keys': [public_key]}
-
-
-def ensure_keys_exist():
-    """Ensure key pair exists in database, generate if not"""
-    from .models import LTIToolKeys
-
-    LTIToolKeys.get_or_create_keys()

package.json

@@ -1,6 +1,6 @@
 {
   "name": "mediacms",
-  "version": "8.0.8",
+  "version": "8.1.3",
   "devDependencies": {
     "@semantic-release/changelog": "^6.0.3",
     "@semantic-release/git": "^10.0.1",

saml_auth/adapter.py

@@ -1,5 +1,6 @@
 import base64
 import logging
+import re
 
 from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
 from allauth.socialaccount.models import SocialApp
@@ -22,7 +23,10 @@ class SAMLAccountAdapter(DefaultSocialAccountAdapter):
 
     def populate_user(self, request, sociallogin, data):
         user = sociallogin.user
-        user.username = sociallogin.account.uid
+        raw_uid = sociallogin.account.uid or ""
+        # Match the user URL pattern in users/urls.py: only [\w@._-] is reverse-able.
+        sanitized = re.sub(r"[^\w.@-]", "_", raw_uid, flags=re.ASCII)
+        user.username = sanitized[:150] if sanitized else raw_uid
         for item in ["name", "first_name", "last_name"]:
             if data.get(item):
                 setattr(user, item, data[item])

setup.cfg

@@ -2,4 +2,4 @@
 exclude = .git,*migrations*
 max-line-length = 119
 #ignore=F401,F403,E501,W503
-ignore=E501
+ignore=E501,E203

users/validators.py

@@ -7,8 +7,8 @@ from django.utils.translation import gettext_lazy as _
 
 @deconstructible
 class ASCIIUsernameValidator(validators.RegexValidator):
-    regex = r"^[\w.@]+$"
+    regex = r"^[\w.@-]+$"
-    message = _("Enter a valid username. This value may contain only " "English letters and numbers")
+    message = _("Enter a valid username. This value may contain only English letters, numbers, and '_', '.', '@', '-'.")
     flags = re.ASCII
 
 

users/views.py

@@ -1,3 +1,4 @@
+from allauth.account.adapter import get_adapter
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.password_validation import validate_password
@@ -277,6 +278,11 @@ class UserList(APIView):
         if not all([username, password, email, name]):
             return Response({"detail": "username, password, email, and name are required."}, status=status.HTTP_400_BAD_REQUEST)
 
+        try:
+            username = get_adapter().clean_username(username, shallow=True)
+        except DjangoValidationError as e:
+            return Response({"detail": e.messages[0]}, status=status.HTTP_400_BAD_REQUEST)
+
         if User.objects.filter(username=username).exists():
             return Response({"detail": "A user with that username already exists."}, status=status.HTTP_400_BAD_REQUEST)