curo/Business-Management
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden admin route visibility: 404 not 403, redirect to /login

Browse Source 
- deps.py: get_current_admin returns 404 Not Found for non-superusers instead
  of 403 Forbidden — hides endpoint existence from unauthorised callers
- App.tsx: AdminRoute redirects non-admins to /login instead of /, making
  the route indistinguishable from a non-existent page

Layer 3 (network-level IP restriction via Traefik) tracked in TODO.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
curo1305
2026-04-13 18:46:33 +02:00
parent 456681fdfa
commit 87c7cc193a
2 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
frontend/src/App.tsx
+2 -1
View File
@@ -21,7 +21,8 @@ function AdminRoute({ children }: { children: React.ReactNode }) {
if (!token) return <Navigate to="/login" replace />;
// Wait for the me query before deciding — prevents a flash redirect
if (isLoading) return null;
if (!user?.is_admin) return <Navigate to="/" replace />;
// Redirect to /login (not /) so the route appears not to exist
if (!user?.is_admin) return <Navigate to="/login" replace />;
return <>{children}</>;
}