ct/bmc_hub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(settings): update SQL console access to require any permission instead of superadmin

Browse Source
This commit is contained in:
Christian 2026-05-16 19:46:31 +02:00
parent 1b6b37e96e
commit e0c4e138d6
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/settings/backend/views.py
View File

@ -12,10 +12,11 @@ from pydantic import BaseModel
from app.core.config import settings from app.core.config import settings
from app.core.database import get_db_connection, release_db_connection, execute_query_single, execute_query from app.core.database import get_db_connection, release_db_connection, execute_query_single, execute_query
from app.core.auth_dependencies import require_superadmin from app.core.auth_dependencies import require_any_permission
router = APIRouter() router = APIRouter()
templates = Jinja2Templates(directory="app") templates = Jinja2Templates(directory="app")
sql_console_access = require_any_permission("users.manage", "system.admin")
CREATE_TABLE_RE = re.compile( CREATE_TABLE_RE = re.compile(
r"CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*\(", r"CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*\(",
@ -329,7 +330,7 @@ def _sanitize_and_validate_sql(sql: str) -> str:
@router.get("/settings/sql", response_class=HTMLResponse, tags=["Frontend"]) @router.get("/settings/sql", response_class=HTMLResponse, tags=["Frontend"])
async def sql_console_page(request: Request, _current_user: dict = Depends(require_superadmin)): async def sql_console_page(request: Request, _current_user: dict = Depends(sql_console_access)):
return templates.TemplateResponse( return templates.TemplateResponse(
"settings/frontend/sql_console.html", "settings/frontend/sql_console.html",
{ {
@ -340,7 +341,7 @@ async def sql_console_page(request: Request, _current_user: dict = Depends(requi
@router.post("/settings/sql/execute", tags=["Frontend"]) @router.post("/settings/sql/execute", tags=["Frontend"])
async def execute_sql_console_query(payload: SqlConsoleRequest, _current_user: dict = Depends(require_superadmin)): async def execute_sql_console_query(payload: SqlConsoleRequest, _current_user: dict = Depends(sql_console_access)):
query = _sanitize_and_validate_sql(payload.query) query = _sanitize_and_validate_sql(payload.query)
limit = payload.limit if isinstance(payload.limit, int) else 200 limit = payload.limit if isinstance(payload.limit, int) else 200
if limit < 1: if limit < 1: