Fix admin API bypassing

2025-08-02 10:55:30 -04:00 · 2021-01-17 08:10:43 +00:00 · 2021-01-17 08:10:43 +00:00 · 3071d44e32
commit 3071d44e32
parent 7a09c9006a
3 changed files with 29 additions and 16 deletions
--- a/src/handlers/auth_handler.cr
+++ b/src/handlers/auth_handler.cr
@ -82,7 +82,12 @@ class AuthHandler < Kemal::Handler
      if env.session.string? "token"
        should_reject = !validate_token_admin(env)
      end
-      env.response.status_code = 403 if should_reject
+      if should_reject
+        env.response.status_code = 403
+        message = "HTTP 403: You are not authorized to visit #{env.request.path}"
+        send_error_page
+        return
+      end
    end

    call_next env
--- a/src/server.cr
+++ b/src/server.cr
@ -7,10 +7,6 @@ require "./routes/*"

 class Server
  def initialize
-    error 403 do |env|
-      message = "HTTP 403: You are not authorized to visit #{env.request.path}"
-      layout "message"
-    end
    error 404 do |env|
      message = "HTTP 404: Mango cannot find the page #{env.request.path}"
      layout "message"
--- a/src/util/web.cr
+++ b/src/util/web.cr
@ -1,19 +1,23 @@
 # Web related helper functions/macros

+macro check_admin_access
+  is_admin = false
+  # The token (if exists) takes precedence over the default user option.
+  #   this is why we check the default username first before checking the
+  #   token.
+  if Config.current.disable_login
+    is_admin = Storage.default.
+      username_is_admin Config.current.default_username
+  end
+  if token = env.session.string? "token"
+    is_admin = Storage.default.verify_admin token
+  end
+end
+
 macro layout(name)
  base_url = Config.current.base_url
+  check_admin_access
  begin
-    is_admin = false
-    # The token (if exists) takes precedence over the default user option.
-    #   this is why we check the default username first before checking the
-    #   token.
-    if Config.current.disable_login
-      is_admin = Storage.default.
-        username_is_admin Config.current.default_username
-    end
-    if token = env.session.string? "token"
-      is_admin = Storage.default.verify_admin token
-    end
    page = {{name}}
    render "src/views/#{{{name}}}.html.ecr", "src/views/layout.html.ecr"
  rescue e
@ -24,6 +28,14 @@ macro layout(name)
  end
 end

+macro send_error_page
+  base_url = Config.current.base_url
+  check_admin_access
+  page = "Error"
+  html = render "src/views/message.html.ecr", "src/views/layout.html.ecr"
+  send_file env, html.to_slice, "text/html"
+end
+
 macro send_img(env, img)
  send_file {{env}}, {{img}}.data, {{img}}.mime
 end