From bcfa6cac43842b6590d453252747ec8983007bb3 Mon Sep 17 00:00:00 2001 From: Matt Hills Date: Mon, 20 Oct 2025 20:06:31 -0400 Subject: [PATCH] Fix: Prevent access to role selection page when not in no-auth mode Return 403 Forbidden instead of redirecting to prevent potential redirect loops. Add proper logging for unauthorized access attempts. --- src/app/blueprints/auth/routes.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/app/blueprints/auth/routes.py b/src/app/blueprints/auth/routes.py index 0374488..999704f 100644 --- a/src/app/blueprints/auth/routes.py +++ b/src/app/blueprints/auth/routes.py @@ -1,6 +1,6 @@ """Authentication routes for Entra ID login/logout and no-auth mode""" import secrets -from flask import session, redirect, url_for, request, current_app, render_template, flash +from flask import session, redirect, url_for, request, current_app, render_template, flash, abort from . import auth_bp from app.models.user import UserModel @@ -34,8 +34,8 @@ def select_role(): """Role selection page for no-auth mode""" # Only available in no-auth mode if current_app.config.get('AUTH_MODE') != 'none': - flash('Role selection is only available in no-auth mode', 'error') - return redirect(url_for('auth.login')) + current_app.logger.warning(f"Attempted to access role selection in {current_app.config.get('AUTH_MODE')} mode") + abort(403, description="Role selection is only available in no-auth mode") if request.method == 'POST': role = request.form.get('role', 'user')