core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity

Merge pull request #200 from Molecule-AI/fix/issue-190-templates-import-auth

Browse Source 
fix(security): #190 — gate POST /templates/import behind AdminAuth
This commit is contained in:
Hongming Wang 2026-04-15 11:00:54 -07:00 committed by GitHub
commit adbcb4fe3b
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
platform/internal/router/router.go
View File

@ -308,7 +308,12 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi
// Templates // Templates
tmplh := handlers.NewTemplatesHandler(configsDir, dockerCli) tmplh := handlers.NewTemplatesHandler(configsDir, dockerCli)
r.GET("/templates", tmplh.List) r.GET("/templates", tmplh.List)
r.POST("/templates/import", tmplh.Import) // #190: POST /templates/import writes arbitrary files into configsDir.
// Must be admin-gated — same class as /bundles/import (#164) and /org/import.
{
tmplAdmin := r.Group("", middleware.AdminAuth(db.DB))
tmplAdmin.POST("/templates/import", tmplh.Import)
}
wsAuth.GET("/shared-context", tmplh.SharedContext) wsAuth.GET("/shared-context", tmplh.SharedContext)
wsAuth.PUT("/files", tmplh.ReplaceFiles) wsAuth.PUT("/files", tmplh.ReplaceFiles)
wsAuth.GET("/files", tmplh.ListFiles) wsAuth.GET("/files", tmplh.ListFiles)