Mirrors/WGDashboard
1
0
Fork 0
mirror of https://github.com/donaldzou/WGDashboard.git synced 2026-04-03 11:26:17 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Fixed where /api/clients paths are bypassed

Browse Source 
Instead of adding `/client` in the white list, we isolate it out to check if the path starts with `APP_PREFIX/client` so then client will bypassed but not `/api/clients`
This commit is contained in:
Donald Zou
2026-03-28 23:33:47 +08:00
parent 22df8a1b1f
commit 920f832297
1 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/dashboard.py
View File

@@ -249,12 +249,14 @@ def auth_req():
whiteList = [
'/static/', 'validateAuthentication', 'authenticate', 'getDashboardConfiguration',
'getDashboardTheme', 'getDashboardVersion', 'sharePeer/get', 'isTotpEnabled', 'locale',
'/client'
]
if (("username" not in session or session.get("role") != "admin")
and (f"{(APP_PREFIX if len(APP_PREFIX) > 0 else '')}/" != request.path
and f"{(APP_PREFIX if len(APP_PREFIX) > 0 else '')}" != request.path)
appPrefix = APP_PREFIX if len(APP_PREFIX) > 0 else ''
clientPrefix = f"{appPrefix}/client"
if (("username" not in session or session.get("role") != "admin")
and (f"{appPrefix}/" != request.path
and f"{appPrefix}" != request.path)
and not request.path.startswith(clientPrefix)
and len(list(filter(lambda x : x not in request.path, whiteList))) == len(whiteList)
):
response = Flask.make_response(app, {