Fix: Prevent access to role selection page when not in no-auth mode

Return 403 Forbidden instead of redirecting to prevent potential redirect loops.
Add proper logging for unauthorized access attempts.
This commit is contained in:
2025-10-20 20:06:31 -04:00
parent 2b471ef09f
commit bcfa6cac43

View File

@@ -1,6 +1,6 @@
"""Authentication routes for Entra ID login/logout and no-auth mode""" """Authentication routes for Entra ID login/logout and no-auth mode"""
import secrets import secrets
from flask import session, redirect, url_for, request, current_app, render_template, flash from flask import session, redirect, url_for, request, current_app, render_template, flash, abort
from . import auth_bp from . import auth_bp
from app.models.user import UserModel from app.models.user import UserModel
@@ -34,8 +34,8 @@ def select_role():
"""Role selection page for no-auth mode""" """Role selection page for no-auth mode"""
# Only available in no-auth mode # Only available in no-auth mode
if current_app.config.get('AUTH_MODE') != 'none': if current_app.config.get('AUTH_MODE') != 'none':
flash('Role selection is only available in no-auth mode', 'error') current_app.logger.warning(f"Attempted to access role selection in {current_app.config.get('AUTH_MODE')} mode")
return redirect(url_for('auth.login')) abort(403, description="Role selection is only available in no-auth mode")
if request.method == 'POST': if request.method == 'POST':
role = request.form.get('role', 'user') role = request.form.get('role', 'user')