Prevent anonymous users from accessing setup pages (!694) · Merge requests · FreedomBox / FreedomBox

Sunil Mohan Adapa requested to merge fonfon:setupfix into master Dec 25, 2016

Created by: fonfon

Anonymous users were able to access pages that used the 'public' decorator of stronghold. If such a page showed the installation routine of the setup module because of missing packages they were able to access and use it, in other words: Anonymous users were able to install software.

Example url: <your-server>/plinth/apps/xmpp/jsxc/, in case you do not have xmpp installed you will see this screen, and the installation will work:

Ideas to make this more generic or implement it on a higher level are very much appreciated.

Prevent anonymous users from accessing setup pages

Merge request reports