From a8d524a0225ea0a93279ccd938c9c1933b0f8e85 Mon Sep 17 00:00:00 2001 From: Luke Mino-Altherr Date: Sat, 14 Mar 2026 22:46:14 -0400 Subject: [PATCH] Remove mime_type from asset update API Clients can no longer modify mime_type after asset creation via the PUT /api/assets/{id} endpoint. This reduces the risk of mime_type spoofing. The internal update_asset_hash_and_mime function remains available for server-side use (e.g., enrichment). Amp-Thread-ID: https://ampcode.com/threads/T-019cef5d-8d61-75cc-a1c6-2841ac395648 Co-authored-by: Amp --- app/assets/api/routes.py | 1 - app/assets/api/schemas_in.py | 5 ++--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/app/assets/api/routes.py b/app/assets/api/routes.py index 02b4d1726..68126b6a5 100644 --- a/app/assets/api/routes.py +++ b/app/assets/api/routes.py @@ -494,7 +494,6 @@ async def update_asset_route(request: web.Request) -> web.Response: name=body.name, user_metadata=body.user_metadata, owner_id=USER_MANAGER.get_request_user_id(request), - mime_type=body.mime_type, preview_id=body.preview_id, ) payload = _build_asset_response(result) diff --git a/app/assets/api/schemas_in.py b/app/assets/api/schemas_in.py index 8bcbc6dca..186a6ae1e 100644 --- a/app/assets/api/schemas_in.py +++ b/app/assets/api/schemas_in.py @@ -100,17 +100,16 @@ class ListAssetsQuery(BaseModel): class UpdateAssetBody(BaseModel): name: str | None = None user_metadata: dict[str, Any] | None = None - mime_type: str | None = None preview_id: str | None = None # references an asset_reference id, not an asset id @model_validator(mode="after") def _validate_at_least_one_field(self): if all( v is None - for v in (self.name, self.user_metadata, self.mime_type, self.preview_id) + for v in (self.name, self.user_metadata, self.preview_id) ): raise ValueError( - "Provide at least one of: name, user_metadata, mime_type, preview_id." + "Provide at least one of: name, user_metadata, preview_id." ) return self