fix: harden dashboard auth and terminal flows
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 3m29s
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 3m29s
Tighten terminal websocket auth and proxy trust handling while making file-backed auth/RBAC writes atomic to reduce high-impact security and persistence risks. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -100,13 +100,28 @@ async def upload(path: str, file: UploadFile = File(...)):
|
||||
|
||||
|
||||
@router.delete("/delete")
|
||||
def delete(path: str):
|
||||
def delete(path: str, recursive: bool = False):
|
||||
try:
|
||||
target = _safe_path(path)
|
||||
except ValueError:
|
||||
raise HTTPException(status_code=403, detail="Access denied")
|
||||
if target.is_dir():
|
||||
shutil.rmtree(target)
|
||||
else:
|
||||
target.unlink()
|
||||
|
||||
if target == BASE.resolve():
|
||||
raise HTTPException(status_code=403, detail="Cannot delete base root")
|
||||
|
||||
try:
|
||||
if target.is_dir():
|
||||
if not recursive:
|
||||
raise HTTPException(status_code=400, detail="Directory deletion requires recursive=true")
|
||||
shutil.rmtree(target)
|
||||
else:
|
||||
target.unlink()
|
||||
except HTTPException:
|
||||
raise
|
||||
except FileNotFoundError:
|
||||
raise HTTPException(status_code=404, detail="Path not found")
|
||||
except PermissionError:
|
||||
raise HTTPException(status_code=403, detail="Permission denied")
|
||||
except OSError as exc:
|
||||
raise HTTPException(status_code=400, detail=str(exc))
|
||||
return {"ok": True}
|
||||
|
||||
Reference in New Issue
Block a user