fix: harden dashboard RBAC and cookie auth flows
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m17s
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m17s
Restrict Docker/Files writes to admins, move terminal websocket auth to cookie-first with temporary query fallback, and migrate refresh-token handling to httpOnly cookies for safer session persistence. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -2,9 +2,10 @@ import os
|
||||
import re
|
||||
import shutil
|
||||
from pathlib import Path
|
||||
from fastapi import APIRouter, UploadFile, File, HTTPException
|
||||
from fastapi import APIRouter, Depends, UploadFile, File, HTTPException
|
||||
from fastapi.responses import FileResponse
|
||||
from config import VOLUME_ROOT
|
||||
from rbac import require_admin
|
||||
|
||||
router = APIRouter()
|
||||
BASE = Path(VOLUME_ROOT)
|
||||
@@ -79,7 +80,7 @@ def download(path: str):
|
||||
raise HTTPException(status_code=403, detail="Access denied")
|
||||
|
||||
|
||||
@router.post("/upload")
|
||||
@router.post("/upload", dependencies=[Depends(require_admin())])
|
||||
async def upload(path: str, file: UploadFile = File(...)):
|
||||
try:
|
||||
safe_name = _sanitize_filename(file.filename)
|
||||
@@ -99,7 +100,7 @@ async def upload(path: str, file: UploadFile = File(...)):
|
||||
return {"ok": True}
|
||||
|
||||
|
||||
@router.delete("/delete")
|
||||
@router.delete("/delete", dependencies=[Depends(require_admin())])
|
||||
def delete(path: str, recursive: bool = False):
|
||||
try:
|
||||
target = _safe_path(path)
|
||||
|
||||
Reference in New Issue
Block a user