From 7b253e86a1bf933b3e5996c70281224f42d160e8 Mon Sep 17 00:00:00 2001 From: Quinten Steenhuis Date: Mon, 20 May 2024 11:06:07 -0400 Subject: [PATCH] For #119, limit access to logged in users, dev/admin on prod --- .../data/questions/browse_interviews.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/docassemble/ALDashboard/data/questions/browse_interviews.yml b/docassemble/ALDashboard/data/questions/browse_interviews.yml index 6b27bc6..a8816b8 100644 --- a/docassemble/ALDashboard/data/questions/browse_interviews.yml +++ b/docassemble/ALDashboard/data/questions/browse_interviews.yml @@ -1,8 +1,45 @@ --- +comment: | + This interview allows you to list all YAML files on the system, which may reveal + a new attack surface if you do not properly secure sensitive interviews. + + By default it can be accessed by developers or admins on production servers, + and by any logged in user on a development server (with debug: True in global config). + + If you would like to limit access without turning off "debug" mode, modify the global + configuration as follows: + + assembly line: + require login to browse interviews on development servers: True +--- modules: - .aldashboard - docassemble.demo.accordion --- +initial: True +code: | + if ( + user_logged_in() + and ( + user_has_privilege(["admin", "developer"]) + or ( + get_config("debug") + and not ( + get_config("assembly line", {}).get("require login to browse interviews on development servers", False) + ) + ) + ) + ): + pass + else: + exit_need_logged_in +--- +id: exit need logged in +event: exit_need_logged_in +question: | + You must be logged in as a developer or admin to view this page. +right: | +--- default screen parts: right: | ${ action_button_html(interview_url(i=f"{user_info().package}:menu.yml"), label="Back to Dashboard") }