From bd34b803f13565a47ce22028d0904ddbff961bb0 Mon Sep 17 00:00:00 2001 From: Alex Ling Date: Wed, 30 Dec 2020 11:12:56 +0000 Subject: [PATCH] Tokens take precedence over default user setting --- src/handlers/auth_handler.cr | 13 ++++++++++--- src/util/web.cr | 9 ++++++--- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/src/handlers/auth_handler.cr b/src/handlers/auth_handler.cr index 1db4376..3f094eb 100644 --- a/src/handlers/auth_handler.cr +++ b/src/handlers/auth_handler.cr @@ -74,10 +74,17 @@ class AuthHandler < Kemal::Handler end if request_path_startswith env, ["/admin", "/api/admin", "/download"] - unless validate_token_admin(env) || - Storage.default.username_is_admin Config.current.default_username - env.response.status_code = 403 + # The token (if exists) takes precedence over the default user option. + # this is why we check the default username first before checking the + # token. + should_reject = true + if Storage.default.username_is_admin Config.current.default_username + should_reject = false end + if env.session.string? "token" + should_reject = !validate_token_admin(env) + end + env.response.status_code = 403 if should_reject end call_next env diff --git a/src/util/web.cr b/src/util/web.cr index 647a536..504bbaa 100644 --- a/src/util/web.cr +++ b/src/util/web.cr @@ -4,13 +4,16 @@ macro layout(name) base_url = Config.current.base_url begin is_admin = false - if token = env.session.string? "token" - is_admin = @context.storage.verify_admin token - end + # The token (if exists) takes precedence over the default user option. + # this is why we check the default username first before checking the + # token. if Config.current.disable_login is_admin = @context.storage. username_is_admin Config.current.default_username end + if token = env.session.string? "token" + is_admin = @context.storage.verify_admin token + end page = {{name}} render "src/views/#{{{name}}}.html.ecr", "src/views/layout.html.ecr" rescue e