CC2 R4 #2+#5: remove legacy unauth /api/admin/users — close 401 gap

Browse Source

The bare @app.get/post('/api/admin/users') decorators in pgz_sport_api.py
were registered before app.include_router(admin_users_router) and shadowed
the JWT-protected M2 routes, leaking user list to anyone.

Removed all three: GET /api/admin/users, POST /api/admin/users,
POST /api/admin/users/{uid}/toggle. The auth.admin_users router now owns
this prefix exclusively and gates every method with require_user.

Verified: no-auth → 401, invalid token → 401, valid Bearer → 200.

...

This commit is contained in:

Damir Radulić

2026-05-05 00:44:50 +02:00

parent cb3faee731

commit f5c6570d47

20 changed files with 11746 additions and 110 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

_backups/app.html.cc3_pre_profile.1777934543

+1214

File diff suppressed because it is too large Load Diff