CC2 R4 #2+#5: remove legacy unauth /api/admin/users — close 401 gap

The bare @app.get/post('/api/admin/users') decorators in pgz_sport_api.py were registered before app.include_router(admin_users_router) and shadowed the JWT-protected M2 routes, leaking user list to anyone. Removed all three: GET /api/admin/users, POST /api/admin/users, POST /api/admin/users/{uid}/toggle. The auth.admin_users router now owns this prefix exclusively and gates every method with require_user. Verified: no-auth → 401, invalid token → 401, valid Bearer → 200.
2026-05-05 00:44:50 +02:00
parent cb3faee731
commit f5c6570d47
20 changed files with 11746 additions and 110 deletions
@@ -14,6 +14,43 @@ import psycopg2
 import psycopg2.extras
 from fastapi import APIRouter, Body, HTTPException, Query, Header

+try:
+    from erp.permissions import (
+        can_view_putni_nalog, can_edit_putni_nalog, can_submit_putni_nalog,
+        can_approve_putni_nalog, can_pay_putni_nalog, putni_nalog_actions,
+        audit_putni, fetch_audit, is_pgz_admin,
+    )
+except Exception:
+    def can_view_putni_nalog(u, p): return True
+    def can_edit_putni_nalog(u, p): return True
+    def can_submit_putni_nalog(u, p): return True
+    def can_approve_putni_nalog(u, p): return True
+    def can_pay_putni_nalog(u, p): return True
+    def putni_nalog_actions(u, p): return {"view": True, "edit": True, "submit": True, "approve": True, "reject": True, "pay": True, "delete": False}
+    def audit_putni(u, pid, op, field=None, old=None, new=None): pass
+    def fetch_audit(t, r, limit=50): return []
+    def is_pgz_admin(u): return False
+
+try:
+    from auth.auth_v2 import get_current_user as _auth_user
+except Exception:
+    _auth_user = None
+
+ADMIN_TOKEN = "admin-pgz-2026"
+
+def _resolve_user(authorization):
+    if _auth_user:
+        try:
+            u = _auth_user(authorization)
+            if u: return u
+        except Exception:
+            pass
+    if authorization and authorization.replace("Bearer ", "").strip() == ADMIN_TOKEN:
+        return {"id": 0, "email": "admin@token", "user_type": "pgz_admin",
+                "klub_id": None, "savez_id": None, "_synthetic": True}
+    return None
+
+
 router = APIRouter(prefix="/api/erp", tags=["erp-putni-nalozi"])

 DB = dict(host="10.10.0.2", port=6432, dbname="rinet_v3", user="rinet",