brut/bincio-activity
1
0
Fork 0
Code Issues Pull Requests Actions 8 Packages Projects Releases Wiki Activity

fix: add local _require_admin guard to proxied endpoints; update test to expect 503 without bincio-auth
CI / Python tests (push) Waiting to run
Details
CI / Frontend build (push) Waiting to run
Details

Browse Source
This commit is contained in:
Davide Scaini
2026-06-03 22:07:41 +02:00
parent 3624fd051f
commit f167c6eed7
2 changed files with 8 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bincio/serve/routers/admin.py
+4
View File
@@ -165,6 +165,7 @@ async def admin_reset_password_code(
bincio_session: str | None = Cookie(default=None), bincio_session: str | None = Cookie(default=None),
) -> JSONResponse: ) -> JSONResponse:
"""Generate a one-time password reset code for a user. Proxied to bincio-auth.""" """Generate a one-time password reset code for a user. Proxied to bincio-auth."""
deps._require_admin(bincio_session)
return await _auth_proxy("POST", f"/api/admin/users/{handle}/reset-password-code", bincio_session) return await _auth_proxy("POST", f"/api/admin/users/{handle}/reset-password-code", bincio_session)
@@ -174,6 +175,7 @@ async def admin_suspend(
bincio_session: str | None = Cookie(default=None), bincio_session: str | None = Cookie(default=None),
) -> JSONResponse: ) -> JSONResponse:
"""Suspend a user account. Proxied to bincio-auth.""" """Suspend a user account. Proxied to bincio-auth."""
deps._require_admin(bincio_session)
return await _auth_proxy("POST", f"/api/admin/users/{handle}/suspend", bincio_session) return await _auth_proxy("POST", f"/api/admin/users/{handle}/suspend", bincio_session)
@@ -183,6 +185,7 @@ async def admin_unsuspend(
bincio_session: str | None = Cookie(default=None), bincio_session: str | None = Cookie(default=None),
) -> JSONResponse: ) -> JSONResponse:
"""Re-enable a suspended user account. Proxied to bincio-auth.""" """Re-enable a suspended user account. Proxied to bincio-auth."""
deps._require_admin(bincio_session)
return await _auth_proxy("POST", f"/api/admin/users/{handle}/unsuspend", bincio_session) return await _auth_proxy("POST", f"/api/admin/users/{handle}/unsuspend", bincio_session)
@@ -192,6 +195,7 @@ async def admin_delete_account(
bincio_session: str | None = Cookie(default=None), bincio_session: str | None = Cookie(default=None),
) -> JSONResponse: ) -> JSONResponse:
"""Delete a user account. Proxied to bincio-auth.""" """Delete a user account. Proxied to bincio-auth."""
deps._require_admin(bincio_session)
return await _auth_proxy("DELETE", f"/api/admin/users/{handle}/account", bincio_session) return await _auth_proxy("DELETE", f"/api/admin/users/{handle}/account", bincio_session)
tests/serve/test_admin_router.py
+4 -9
View File
@@ -59,13 +59,8 @@ class TestAdminUserOps:
def test_delete_account_requires_admin(self, client: TestClient): def test_delete_account_requires_admin(self, client: TestClient):
assert client.delete("/api/admin/users/alice/account").status_code == 401 assert client.delete("/api/admin/users/alice/account").status_code == 401
def test_admin_reset_password_code(self, admin_client: TestClient, tmp_data): def test_admin_reset_password_code_proxied(self, admin_client: TestClient):
from bincio.serve.db import create_user, open_db # This endpoint proxies to bincio-auth; without BINCIO_AUTH_API configured
db = open_db(tmp_data) # in the test environment it returns 503.
try:
create_user(db, "target", "Target", "targetpass1")
except Exception:
pass
r = admin_client.post("/api/admin/users/target/reset-password-code") r = admin_client.post("/api/admin/users/target/reset-password-code")
assert r.status_code == 200 assert r.status_code == 503
assert "code" in r.json()