Tokens take precedence over default user setting

2025-08-02 10:55:30 -04:00 · 2020-12-30 11:12:56 +00:00 · 2020-12-30 11:12:56 +00:00 · bd34b803f1
commit bd34b803f1
parent 85ad38c321
2 changed files with 16 additions and 6 deletions
--- a/src/handlers/auth_handler.cr
+++ b/src/handlers/auth_handler.cr
@ -74,10 +74,17 @@ class AuthHandler < Kemal::Handler
    end

    if request_path_startswith env, ["/admin", "/api/admin", "/download"]
-      unless validate_token_admin(env) ||
-             Storage.default.username_is_admin Config.current.default_username
-        env.response.status_code = 403
+      # The token (if exists) takes precedence over the default user option.
+      #   this is why we check the default username first before checking the
+      #   token.
+      should_reject = true
+      if Storage.default.username_is_admin Config.current.default_username
+        should_reject = false
      end
+      if env.session.string? "token"
+        should_reject = !validate_token_admin(env)
+      end
+      env.response.status_code = 403 if should_reject
    end

    call_next env
--- a/src/util/web.cr
+++ b/src/util/web.cr
@ -4,13 +4,16 @@ macro layout(name)
  base_url = Config.current.base_url
  begin
    is_admin = false
-    if token = env.session.string? "token"
-      is_admin = @context.storage.verify_admin token
-    end
+    # The token (if exists) takes precedence over the default user option.
+    #   this is why we check the default username first before checking the
+    #   token.
    if Config.current.disable_login
      is_admin = @context.storage.
        username_is_admin Config.current.default_username
    end
+    if token = env.session.string? "token"
+      is_admin = @context.storage.verify_admin token
+    end
    page = {{name}}
    render "src/views/#{{{name}}}.html.ecr", "src/views/layout.html.ecr"
  rescue e