LotusGuild/tinker_tickets
4
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Block web access to generate_api_key.php

Browse Source 
Added php_sapi_name() CLI guard matching the pattern used in migrate.php
and cleanup_ratelimit.php. Without this, the script was web-accessible
and could generate an API key without authentication if no keys existed yet.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Jared Vititoe
2026-04-11 21:44:35 -04:00
parent e3ebc766e5
commit 3b0b7621e0
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
generate_api_key.php
+6
View File
@@ -6,6 +6,12 @@
* Usage: php generate_api_key.php * Usage: php generate_api_key.php
*/ */
// Prevent web access
if (php_sapi_name() !== 'cli') {
http_response_code(403);
exit('CLI access only');
}
require_once __DIR__ . '/config/config.php'; require_once __DIR__ . '/config/config.php';
require_once __DIR__ . '/models/ApiKeyModel.php'; require_once __DIR__ . '/models/ApiKeyModel.php';
require_once __DIR__ . '/models/UserModel.php'; require_once __DIR__ . '/models/UserModel.php';