TattooMate 1.3.7.5-RC.1 – API hardened & admin area cleaned up
Version 1.3.7.5
This update does not bring new forms or visible "marketing features".
Instead, we are working on the foundation – security, structure, and maintainability.
🔒 Server-side enforcement of all sensitive APIs
The TattooMate permission system is now consistently enforced in the backend.
All relevant endpoints check permissions server-side via requirePermission() – including:
- Settings (including SMTP)
- License status
- User management
- Form APIs
- Upload and download endpoints
- Image and ID data
Unauthorized access is reliably blocked and returns consistent error codes.
🖼 Uploads and image data protected against unauthorized access
Download and upload routes for images and ID data will not be freely accessible.
Without a valid session and matching permissions, access is not possible.
This is especially important when handling sensitive customer data.
🧹 API structure cleaned up
Unused or redundant API routes are being removed.
This reduces the attack surface and improves long-term maintainability.
🔑 License check stabilized
The license check now uses an internal TTL cache.
This means:
- No unnecessary continuous requests to the license server
- Stable operation even during brief API issues
- Feature flags update automatically after the TTL expires
Restarting the application is no longer required for license changes.
⚙️ Admin area: only active modules visible
In the app settings, form settings are now only shown when the respective module is activated.
This results in a significantly calmer and clearer dashboard –
no more "locked" feeling, just the modules the studio actually uses.
This update is primarily a step toward stability and system security.