From 9097872e57b890cc539be4317bf5e519fb919d58 Mon Sep 17 00:00:00 2001 From: Admin MPCZ Date: Fri, 17 Apr 2026 23:15:04 +0000 Subject: [PATCH] Secu: verif permissions can_view/can_edit sur endpoints HTMX detail/edit --- app/routers/audit.py | 3 +++ app/routers/servers.py | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/app/routers/audit.py b/app/routers/audit.py index 5b8df9a..2e0e9f3 100644 --- a/app/routers/audit.py +++ b/app/routers/audit.py @@ -117,6 +117,9 @@ async def audit_detail(request: Request, audit_id: int, db=Depends(get_db)): user = get_current_user(request) if not user: return HTMLResponse("

Non autorisé

") + from ..dependencies import get_user_perms, can_view + if not can_view(get_user_perms(db, user), "audit"): + return HTMLResponse("

Non autorisé

") entry = db.execute(text("SELECT * FROM server_audit WHERE id = :id"), {"id": audit_id}).fetchone() if not entry: diff --git a/app/routers/servers.py b/app/routers/servers.py index 7464b13..59b3817 100644 --- a/app/routers/servers.py +++ b/app/routers/servers.py @@ -98,6 +98,9 @@ async def server_detail(request: Request, server_id: int, db=Depends(get_db)): user = get_current_user(request) if not user: return HTMLResponse("

Non autorise

") + from ..dependencies import get_user_perms, can_view + if not can_view(get_user_perms(db, user), "servers"): + return HTMLResponse("

Non autorise

") s = get_server_full(db, server_id) if not s: return HTMLResponse("

Serveur non trouve

") @@ -115,6 +118,9 @@ async def server_edit(request: Request, server_id: int, db=Depends(get_db)): user = get_current_user(request) if not user: return HTMLResponse("

Non autorise

") + from ..dependencies import get_user_perms, can_edit + if not can_edit(get_user_perms(db, user), "servers"): + return HTMLResponse("

Non autorise

") s = get_server_full(db, server_id) if not s: return HTMLResponse("

Serveur non trouve

")