From 920f8322970fdd412d6a59f01ebd0f78f8b0aad1 Mon Sep 17 00:00:00 2001
From: Donald Zou <donaldzou@live.hk>
Date: Sat, 28 Mar 2026 23:33:47 +0800
Subject: [PATCH] Fixed where /api/clients paths are bypassed

Instead of adding `/client` in the white list, we isolate it out to check if the path starts with `APP_PREFIX/client` so then client will bypassed but not `/api/clients`
---
 src/dashboard.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/dashboard.py b/src/dashboard.py
index 6bc13492..3b61af38 100644
--- a/src/dashboard.py
+++ b/src/dashboard.py
@@ -249,12 +249,14 @@ def auth_req():
             whiteList = [
                 '/static/', 'validateAuthentication', 'authenticate', 'getDashboardConfiguration',
                 'getDashboardTheme', 'getDashboardVersion', 'sharePeer/get', 'isTotpEnabled', 'locale',
-                '/client'
             ]
-            
-            if (("username" not in session or session.get("role") != "admin") 
-                    and (f"{(APP_PREFIX if len(APP_PREFIX) > 0 else '')}/" != request.path 
-                    and f"{(APP_PREFIX if len(APP_PREFIX) > 0 else '')}" != request.path)
+            appPrefix = APP_PREFIX if len(APP_PREFIX) > 0 else ''
+            clientPrefix = f"{appPrefix}/client"
+
+            if (("username" not in session or session.get("role") != "admin")
+                    and (f"{appPrefix}/" != request.path
+                    and f"{appPrefix}" != request.path)
+                    and not request.path.startswith(clientPrefix)
                     and len(list(filter(lambda x : x not in request.path, whiteList))) == len(whiteList)
             ):
                 response = Flask.make_response(app, {