LotusGuild/gandalf
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: admin-only suppression enforcement, links.html broken date parsing
Lint / Python (flake8) (push) Successful in 40s
Details
Lint / JS (eslint) (push) Successful in 7s
Details
Security / Python Security (bandit) (push) Successful in 44s
Details
Test / Python Tests (pytest) (push) Successful in 49s
Details
Lint / Notify on failure (push) Has been skipped
Details
Lint / Deploy (push) Successful in 3s
Details

Browse Source 
Security: add require_admin decorator; apply to POST/DELETE /api/suppressions
and /suppressions page. Previously any user in allowed_groups could create or
delete suppressions even though the nav restricts the UI to admins.

Bug: links.html "Updated:" timestamp and stale-warning both produced
Invalid Date because the raw "YYYY-MM-DD HH:MM:SS UTC" string was appended
with 'Z' instead of being normalised through _toIso(). Fix both call sites to
use _toIso(), and remove the now-redundant local _toIso redefinition.

Style: use `with open(sentinel, 'w'): pass` consistently (was open().close()
at avatar JPEG validation path).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jared Vititoe
2026-05-11 13:03:37 -04:00
parent 4e3d0a1f0a
commit 9c4dd5df51
2 changed files with 18 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app.py
+16 -1
View File
@@ -155,6 +155,17 @@ def require_auth(f):
return wrapper
def require_admin(f):
"""Decorator: require require_auth AND membership in the 'admin' group."""
@wraps(f)
def wrapper(*args, **kwargs):
user = _get_user()
if 'admin' not in user.get('groups', []):
return jsonify({'error': 'Admin access required'}), 403
return f(*args, **kwargs)
return wrapper
# ---------------------------------------------------------------------------
# Helpers
# ---------------------------------------------------------------------------
@@ -228,6 +239,7 @@ def inspector():
@app.route('/suppressions')
@require_auth
@require_admin
def suppressions_page():
user = _get_user()
active = db.get_active_suppressions()
@@ -323,6 +335,7 @@ def api_get_suppressions():
@app.route('/api/suppressions', methods=['POST'])
@require_auth
@require_admin
def api_create_suppression():
user = _get_user()
data = request.get_json(silent=True) or {}
@@ -371,6 +384,7 @@ def api_create_suppression():
@app.route('/api/suppressions/<int:sup_id>', methods=['DELETE'])
@require_auth
@require_admin
def api_delete_suppression(sup_id: int):
user = _get_user()
db.deactivate_suppression(sup_id)
@@ -612,7 +626,8 @@ def api_avatar():
avatar_data = avatar_data.encode('latin-1')
if avatar_data[:3] != b'\xFF\xD8\xFF':
logger.warning(f'Non-JPEG avatar data for {username}')
open(sentinel, 'w').close()
with open(sentinel, 'w'):
pass
return '', 404
with open(cache_file, 'wb') as f:
templates/links.html
+2 -3
View File
@@ -36,7 +36,6 @@
{% block scripts %}
<script>
const escHtml = s => lt.escHtml(s);
const _toIso = s => s ? s.replace(' UTC', 'Z').replace(' ', 'T') : s;
// ── Formatting helpers ────────────────────────────────────────────
function fmtRate(bytesPerSec) {
@@ -527,7 +526,7 @@ function expandAll() {
// ── Stale data warning ────────────────────────────────────────────
function checkLinksStale(updatedStr) {
if (!updatedStr) return;
const age = (Date.now() - new Date(updatedStr + (updatedStr.includes('Z') ? '' : 'Z'))) / 1000;
const age = (Date.now() - new Date(_toIso(updatedStr))) / 1000;
let banner = document.getElementById('links-stale-banner');
if (age > 120) {
if (!banner) {
@@ -556,7 +555,7 @@ async function loadLinks() {
}
const updEl = document.getElementById('links-updated');
if (updEl && data.updated) {
updEl.textContent = 'Updated: ' + new Date(data.updated + (data.updated.includes('Z') ? '' : 'Z')).toLocaleTimeString();
updEl.textContent = 'Updated: ' + new Date(_toIso(data.updated)).toLocaleTimeString();
}
renderLinks(data);
checkLinksStale(data.updated);