Bug Fixes + Duplicate Support (#1016)

* Update README.md supporter list

* Fix: Multiple bug fixes and features bundle (#888, #991, #617, #984) (#1007)

* fix: resolve location creation failures, broken image uploads, and invalid URL handling

- Add missing addToast import in LocationDetails.svelte for proper error feedback
- Add objectId check and error response handling in ImageManagement.svelte to prevent ghost images
- Add Content-Type check in +page.server.ts image action to handle non-JSON backend responses
- Add client-side URL validation in LocationDetails.svelte (invalid URLs → null)
- Improve Django field error extraction for user-friendly toast messages
- Clean up empty description fields (whitespace → null)
- Update BUGFIX_DOCUMENTATION.md with detailed fix descriptions

* feat: bug fixes and new features bundle

Bug fixes:
- fix: resolve PATCH location with visits (#888)
- fix: Wikipedia/URL image upload via server-side proxy (#991)
- fix: private/public toggle race condition (#617)
- fix: location creation feedback (addToast import)
- fix: invalid URL handling for locations and collections
- fix: world map country highlighting (bg-*-200 -> bg-*-400)
- fix: clipboard API polyfill for HTTP contexts
- fix: MultipleObjectsReturned for duplicate images
- fix: SvelteKit proxy sessionid cookie forwarding

Features:
- feat: duplicate location button (list + detail view)
- feat: duplicate collection button
- feat: i18n translations for 19 languages
- feat: improved error handling and user feedback

Technical:
- Backend: fetch_from_url endpoint with SSRF protection
- Backend: validate_link() for collections
- Backend: file_permissions filter() instead of get()
- Frontend: copyToClipboard() helper function
- Frontend: clipboard polyfill via server-side injection

* chore: switch docker-compose from image to build

Use local source code builds instead of upstream :latest images
to preserve our custom patches and fixes.

* fix: lodging save errors, AI language support, and i18n improvements

- Fix Lodging save: add res.ok checks, error toasts, isSaving state (#984)
- Fix URL validation: silently set invalid URLs to null (Lodging, Transportation)
- Fix AI description language: pass user locale to Wikipedia API
- Fix missing i18n keys: Strava toggle buttons (show/hide)
- Add CHANGELOG.md
- Remove internal documentation from public tracking
- Update .gitignore for Cursor IDE and internal docs

Co-authored-by: Cursor <cursoragent@cursor.com>

* feat: update location duplication handling, improve UI feedback, and enhance localization support

---------

Co-authored-by: AdventureLog Bugfix <bugfix@adventurelog.local>
Co-authored-by: madmp87 <info@so-pa.de>
Co-authored-by: Mathias Ponnwitz <devuser@dockge-dev.fritz.box>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Sean Morley <mail@seanmorley.com>

* Enhance duplication functionality for collections and locations; update UI to reflect changes

* Potential fix for code scanning alert no. 49: Information exposure through an exception

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Update Django and Pillow versions in requirements.txt

* Fix error logging for image fetch timeout in ContentImageViewSet

* Update requirements.txt to include jaraco.context and wheel for security fixes

* Update app version and add security vulnerabilities to .trivyignore

* Update backend/server/adventures/views/collection_view.py

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update frontend/src/lib/types.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Reorder build and image directives in docker-compose.yml for clarity

* Refactor code structure for improved readability and maintainability

* Remove inline clipboard polyfill script injection from server hooks (#1019)

* Initial plan

* Remove inline clipboard polyfill script injection from hooks.server.ts

Co-authored-by: seanmorley15 <98704938+seanmorley15@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: seanmorley15 <98704938+seanmorley15@users.noreply.github.com>

* Fix unhandled promise rejections in copyToClipboard click handlers (#1018)

* Initial plan

* Fix: make copyToClipboard handlers async with try/catch error toast

Co-authored-by: seanmorley15 <98704938+seanmorley15@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: seanmorley15 <98704938+seanmorley15@users.noreply.github.com>

* Harden `fetch_from_url` image proxy: require auth, rate-limit, and strengthen SSRF protections (#1017)

* Initial plan

* Harden fetch_from_url: require auth, rate-limit, block non-standard ports, check all IPs, re-validate redirects

Co-authored-by: seanmorley15 <98704938+seanmorley15@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: seanmorley15 <98704938+seanmorley15@users.noreply.github.com>

* Fix subregion filtering in world travel page to exclude null values

* Update package.json to use caret (^) for versioning in overrides

* fix: update package dependencies for compatibility and stability

- Added cookie dependency with version constraint <0.7.0
- Updated svelte dependency to allow versions <=5.51.4
- Updated @sveltejs/adapter-vercel dependency to allow versions <6.3.2

* Refactor code structure for improved readability and maintainability

---------

Co-authored-by: madmp87 <79420509+madmp87@users.noreply.github.com>
Co-authored-by: AdventureLog Bugfix <bugfix@adventurelog.local>
Co-authored-by: madmp87 <info@so-pa.de>
Co-authored-by: Mathias Ponnwitz <devuser@dockge-dev.fritz.box>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>

backend/server/adventures/utils/file_permissions.py

@@ -4,83 +4,55 @@ from adventures.models import Visit
 
 protected_paths = ['images/', 'attachments/']
 
+def _check_content_object_permission(content_object, user):
+    """Check if user has permission to access a content object."""
+    # handle differently when content_object is a Visit, get the location instead
+    if isinstance(content_object, Visit):
+        if content_object.location:
+            content_object = content_object.location
+
+    # Check if content object is public
+    if hasattr(content_object, 'is_public') and content_object.is_public:
+        return True
+
+    # Check if user owns the content object
+    if hasattr(content_object, 'user') and content_object.user == user:
+        return True
+
+    # Check collection-based permissions
+    if hasattr(content_object, 'collections') and content_object.collections.exists():
+        for collection in content_object.collections.all():
+            if collection.user == user or collection.shared_with.filter(id=user.id).exists():
+                return True
+        return False
+    elif hasattr(content_object, 'collection') and content_object.collection:
+        if content_object.collection.user == user or content_object.collection.shared_with.filter(id=user.id).exists():
+            return True
+        return False
+    else:
+        return False
+
 def checkFilePermission(fileId, user, mediaType):
     if mediaType not in protected_paths:
         return True
     if mediaType == 'images/':
-        try:
-            # Construct the full relative path to match the database field
-            image_path = f"images/{fileId}"
-            # Fetch the ContentImage object
-            content_image = ContentImage.objects.get(image=image_path)
-            
-            # Get the content object (could be Location, Transportation, Note, etc.)
-            content_object = content_image.content_object
-
-            # handle differently when content_object is a Visit, get the location instead
-            if isinstance(content_object, Visit):
-                # check visit.location
-                if content_object.location:
-                    # continue with the location check
-                    content_object = content_object.location
-
-            # Check if content object is public
-            if hasattr(content_object, 'is_public') and content_object.is_public:
-                return True
-            
-            # Check if user owns the content object
-            if hasattr(content_object, 'user') and content_object.user == user:
-                return True
-            
-            # Check collection-based permissions
-            if hasattr(content_object, 'collections') and content_object.collections.exists():
-                # For objects with multiple collections (like Location)
-                for collection in content_object.collections.all():
-                    if collection.user == user or collection.shared_with.filter(id=user.id).exists():
-                        return True
-                return False
-            elif hasattr(content_object, 'collection') and content_object.collection:
-                # For objects with single collection (like Transportation, Note, etc.)
-                if content_object.collection.user == user or content_object.collection.shared_with.filter(id=user.id).exists():
-                    return True
-                return False
-            else:
-                return False
-                
-        except ContentImage.DoesNotExist:
+        image_path = f"images/{fileId}"
+        # Use filter() instead of get() to handle multiple ContentImage entries
+        # pointing to the same file (e.g. after location duplication)
+        content_images = ContentImage.objects.filter(image=image_path)
+        if not content_images.exists():
             return False
+        # Grant access if ANY associated content object permits it
+        for content_image in content_images:
+            content_object = content_image.content_object
+            if content_object and _check_content_object_permission(content_object, user):
+                return True
+        return False
     elif mediaType == 'attachments/':
         try:
-            # Construct the full relative path to match the database field
             attachment_path = f"attachments/{fileId}"
-            # Fetch the ContentAttachment object
             content_attachment = ContentAttachment.objects.get(file=attachment_path)
-            
-            # Get the content object (could be Location, Transportation, Note, etc.)
             content_object = content_attachment.content_object
-            
-            # Check if content object is public
-            if hasattr(content_object, 'is_public') and content_object.is_public:
-                return True
-            
-            # Check if user owns the content object
-            if hasattr(content_object, 'user') and content_object.user == user:
-                return True
-            
-            # Check collection-based permissions
-            if hasattr(content_object, 'collections') and content_object.collections.exists():
-                # For objects with multiple collections (like Location)
-                for collection in content_object.collections.all():
-                    if collection.user == user or collection.shared_with.filter(id=user.id).exists():
-                        return True
-                return False
-            elif hasattr(content_object, 'collection') and content_object.collection:
-                # For objects with single collection (like Transportation, Note, etc.)
-                if content_object.collection.user == user or content_object.collection.shared_with.filter(id=user.id).exists():
-                    return True
-                return False
-            else:
-                return False
-                
+            return _check_content_object_permission(content_object, user) if content_object else False
         except ContentAttachment.DoesNotExist:
-            return False
+            return False