fix: admin-only suppression enforcement, links.html broken date parsing
Lint / Python (flake8) (push) Successful in 40s
Lint / JS (eslint) (push) Successful in 7s
Security / Python Security (bandit) (push) Successful in 44s
Test / Python Tests (pytest) (push) Successful in 49s
Lint / Notify on failure (push) Has been skipped
Lint / Deploy (push) Successful in 3s
Lint / Python (flake8) (push) Successful in 40s
Lint / JS (eslint) (push) Successful in 7s
Security / Python Security (bandit) (push) Successful in 44s
Test / Python Tests (pytest) (push) Successful in 49s
Lint / Notify on failure (push) Has been skipped
Lint / Deploy (push) Successful in 3s
Security: add require_admin decorator; apply to POST/DELETE /api/suppressions and /suppressions page. Previously any user in allowed_groups could create or delete suppressions even though the nav restricts the UI to admins. Bug: links.html "Updated:" timestamp and stale-warning both produced Invalid Date because the raw "YYYY-MM-DD HH:MM:SS UTC" string was appended with 'Z' instead of being normalised through _toIso(). Fix both call sites to use _toIso(), and remove the now-redundant local _toIso redefinition. Style: use `with open(sentinel, 'w'): pass` consistently (was open().close() at avatar JPEG validation path). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -155,6 +155,17 @@ def require_auth(f):
|
|||||||
return wrapper
|
return wrapper
|
||||||
|
|
||||||
|
|
||||||
|
def require_admin(f):
|
||||||
|
"""Decorator: require require_auth AND membership in the 'admin' group."""
|
||||||
|
@wraps(f)
|
||||||
|
def wrapper(*args, **kwargs):
|
||||||
|
user = _get_user()
|
||||||
|
if 'admin' not in user.get('groups', []):
|
||||||
|
return jsonify({'error': 'Admin access required'}), 403
|
||||||
|
return f(*args, **kwargs)
|
||||||
|
return wrapper
|
||||||
|
|
||||||
|
|
||||||
# ---------------------------------------------------------------------------
|
# ---------------------------------------------------------------------------
|
||||||
# Helpers
|
# Helpers
|
||||||
# ---------------------------------------------------------------------------
|
# ---------------------------------------------------------------------------
|
||||||
@@ -228,6 +239,7 @@ def inspector():
|
|||||||
|
|
||||||
@app.route('/suppressions')
|
@app.route('/suppressions')
|
||||||
@require_auth
|
@require_auth
|
||||||
|
@require_admin
|
||||||
def suppressions_page():
|
def suppressions_page():
|
||||||
user = _get_user()
|
user = _get_user()
|
||||||
active = db.get_active_suppressions()
|
active = db.get_active_suppressions()
|
||||||
@@ -323,6 +335,7 @@ def api_get_suppressions():
|
|||||||
|
|
||||||
@app.route('/api/suppressions', methods=['POST'])
|
@app.route('/api/suppressions', methods=['POST'])
|
||||||
@require_auth
|
@require_auth
|
||||||
|
@require_admin
|
||||||
def api_create_suppression():
|
def api_create_suppression():
|
||||||
user = _get_user()
|
user = _get_user()
|
||||||
data = request.get_json(silent=True) or {}
|
data = request.get_json(silent=True) or {}
|
||||||
@@ -371,6 +384,7 @@ def api_create_suppression():
|
|||||||
|
|
||||||
@app.route('/api/suppressions/<int:sup_id>', methods=['DELETE'])
|
@app.route('/api/suppressions/<int:sup_id>', methods=['DELETE'])
|
||||||
@require_auth
|
@require_auth
|
||||||
|
@require_admin
|
||||||
def api_delete_suppression(sup_id: int):
|
def api_delete_suppression(sup_id: int):
|
||||||
user = _get_user()
|
user = _get_user()
|
||||||
db.deactivate_suppression(sup_id)
|
db.deactivate_suppression(sup_id)
|
||||||
@@ -612,7 +626,8 @@ def api_avatar():
|
|||||||
avatar_data = avatar_data.encode('latin-1')
|
avatar_data = avatar_data.encode('latin-1')
|
||||||
if avatar_data[:3] != b'\xFF\xD8\xFF':
|
if avatar_data[:3] != b'\xFF\xD8\xFF':
|
||||||
logger.warning(f'Non-JPEG avatar data for {username}')
|
logger.warning(f'Non-JPEG avatar data for {username}')
|
||||||
open(sentinel, 'w').close()
|
with open(sentinel, 'w'):
|
||||||
|
pass
|
||||||
return '', 404
|
return '', 404
|
||||||
|
|
||||||
with open(cache_file, 'wb') as f:
|
with open(cache_file, 'wb') as f:
|
||||||
|
|||||||
@@ -36,7 +36,6 @@
|
|||||||
{% block scripts %}
|
{% block scripts %}
|
||||||
<script>
|
<script>
|
||||||
const escHtml = s => lt.escHtml(s);
|
const escHtml = s => lt.escHtml(s);
|
||||||
const _toIso = s => s ? s.replace(' UTC', 'Z').replace(' ', 'T') : s;
|
|
||||||
|
|
||||||
// ── Formatting helpers ────────────────────────────────────────────
|
// ── Formatting helpers ────────────────────────────────────────────
|
||||||
function fmtRate(bytesPerSec) {
|
function fmtRate(bytesPerSec) {
|
||||||
@@ -527,7 +526,7 @@ function expandAll() {
|
|||||||
// ── Stale data warning ────────────────────────────────────────────
|
// ── Stale data warning ────────────────────────────────────────────
|
||||||
function checkLinksStale(updatedStr) {
|
function checkLinksStale(updatedStr) {
|
||||||
if (!updatedStr) return;
|
if (!updatedStr) return;
|
||||||
const age = (Date.now() - new Date(updatedStr + (updatedStr.includes('Z') ? '' : 'Z'))) / 1000;
|
const age = (Date.now() - new Date(_toIso(updatedStr))) / 1000;
|
||||||
let banner = document.getElementById('links-stale-banner');
|
let banner = document.getElementById('links-stale-banner');
|
||||||
if (age > 120) {
|
if (age > 120) {
|
||||||
if (!banner) {
|
if (!banner) {
|
||||||
@@ -556,7 +555,7 @@ async function loadLinks() {
|
|||||||
}
|
}
|
||||||
const updEl = document.getElementById('links-updated');
|
const updEl = document.getElementById('links-updated');
|
||||||
if (updEl && data.updated) {
|
if (updEl && data.updated) {
|
||||||
updEl.textContent = 'Updated: ' + new Date(data.updated + (data.updated.includes('Z') ? '' : 'Z')).toLocaleTimeString();
|
updEl.textContent = 'Updated: ' + new Date(_toIso(data.updated)).toLocaleTimeString();
|
||||||
}
|
}
|
||||||
renderLinks(data);
|
renderLinks(data);
|
||||||
checkLinksStale(data.updated);
|
checkLinksStale(data.updated);
|
||||||
|
|||||||
Reference in New Issue
Block a user