Fix: Prevent access to role selection page when not in no-auth mode
Return 403 Forbidden instead of redirecting to prevent potential redirect loops. Add proper logging for unauthorized access attempts.
This commit is contained in:
@@ -1,6 +1,6 @@
|
|||||||
"""Authentication routes for Entra ID login/logout and no-auth mode"""
|
"""Authentication routes for Entra ID login/logout and no-auth mode"""
|
||||||
import secrets
|
import secrets
|
||||||
from flask import session, redirect, url_for, request, current_app, render_template, flash
|
from flask import session, redirect, url_for, request, current_app, render_template, flash, abort
|
||||||
from . import auth_bp
|
from . import auth_bp
|
||||||
from app.models.user import UserModel
|
from app.models.user import UserModel
|
||||||
|
|
||||||
@@ -34,8 +34,8 @@ def select_role():
|
|||||||
"""Role selection page for no-auth mode"""
|
"""Role selection page for no-auth mode"""
|
||||||
# Only available in no-auth mode
|
# Only available in no-auth mode
|
||||||
if current_app.config.get('AUTH_MODE') != 'none':
|
if current_app.config.get('AUTH_MODE') != 'none':
|
||||||
flash('Role selection is only available in no-auth mode', 'error')
|
current_app.logger.warning(f"Attempted to access role selection in {current_app.config.get('AUTH_MODE')} mode")
|
||||||
return redirect(url_for('auth.login'))
|
abort(403, description="Role selection is only available in no-auth mode")
|
||||||
|
|
||||||
if request.method == 'POST':
|
if request.method == 'POST':
|
||||||
role = request.form.get('role', 'user')
|
role = request.form.get('role', 'user')
|
||||||
|
|||||||
Reference in New Issue
Block a user