For #119, limit access to logged in users, dev/admin on prod

SuffolkLITLab · May 20, 2024 · 7b253e8 · 7b253e8
1 parent b05e0c3
commit 7b253e8
Showing 1 changed file with 37 additions and 0 deletions.
diff --git a/docassemble/ALDashboard/data/questions/browse_interviews.yml b/docassemble/ALDashboard/data/questions/browse_interviews.yml
@@ -1,8 +1,45 @@
 ---
+comment: |
+  This interview allows you to list all YAML files on the system, which may reveal
+  a new attack surface if you do not properly secure sensitive interviews.
+
+  By default it can be accessed by developers or admins on production servers,
+  and by any logged in user on a development server (with debug: True in global config).
+
+  If you would like to limit access without turning off "debug" mode, modify the global
+  configuration as follows:
+
+  assembly line:
+    require login to browse interviews on development servers: True
+---
 modules:
   - .aldashboard
   - docassemble.demo.accordion
 ---
+initial: True
+code: |
+  if (
+        user_logged_in()
+        and (
+          user_has_privilege(["admin", "developer"])
+          or (
+              get_config("debug")
+              and not (
+                  get_config("assembly line", {}).get("require login to browse interviews on development servers", False)
+                )
+              )
+          )
+      ):
+    pass
+  else:
+    exit_need_logged_in
+---
+id: exit need logged in
+event: exit_need_logged_in
+question: |
+  You must be logged in as a developer or admin to view this page.
+right: |  
+---
 default screen parts:
   right: |
     ${ action_button_html(interview_url(i=f"{user_info().package}:menu.yml"), label="Back to Dashboard") }