From ae3ae61593e5b0dc8382b08fd232413fdc5fc715 Mon Sep 17 00:00:00 2001
From: "thomas.kopp" <thomas.kopp@tueit.de>
Date: Wed, 1 Apr 2026 14:13:02 +0200
Subject: [PATCH] =?UTF-8?q?feat:=20DELETE=20/transcripts/{filename}=20?=
 =?UTF-8?q?=E2=80=94=20delete=20transcript=20with=20path-confinement=20che?=
 =?UTF-8?q?ck?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 api/router.py     | 12 ++++++++++++
 tests/test_api.py | 15 +++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/api/router.py b/api/router.py
index 031284a..4eabfcc 100644
--- a/api/router.py
+++ b/api/router.py
@@ -134,6 +134,18 @@ async def get_transcript(filename: str, user: dict = Depends(current_user)):
     return PlainTextResponse(content)
 
 
+@router.delete("/transcripts/{filename}")
+async def delete_transcript(filename: str, user: dict = Depends(current_user)):
+    user_dir = os.path.join(user["output_dir"], user["username"])
+    if os.path.basename(filename) != filename or not filename.endswith(".md"):
+        raise HTTPException(status_code=404, detail="Nicht gefunden")
+    path = os.path.join(user_dir, filename)
+    if not os.path.exists(path):
+        raise HTTPException(status_code=404, detail="Nicht gefunden")
+    os.unlink(path)
+    return {"ok": True}
+
+
 @router.get("/config")
 async def get_config(user: dict = Depends(current_user)):
     return load_config()
diff --git a/tests/test_api.py b/tests/test_api.py
index 30f215d..2b83992 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -69,6 +69,21 @@ def test_get_transcript_rejects_path_traversal(tmp_path):
     assert r.status_code == 404
 
 
+def test_delete_transcript_removes_file(tmp_path):
+    f = tmp_path / "2026-01-01-0900-test.md"
+    f.write_text("content")
+    client = TestClient(make_app_for_dir(str(tmp_path)))
+    r = client.delete("/transcripts/2026-01-01-0900-test.md")
+    assert r.status_code == 200
+    assert not f.exists()
+
+
+def test_delete_transcript_rejects_path_traversal(tmp_path):
+    client = TestClient(make_app_for_dir(str(tmp_path)))
+    r = client.delete("/transcripts/..%2Fsecret.md")
+    assert r.status_code == 404
+
+
 def test_login_rejects_wrong_credentials():
     import tempfile, os
     from unittest.mock import patch