🐛 Improve admin security over dnshole controls #1686
Conversation
There was a problem hiding this comment.
This is not how to protect the api call from being made by non admins. This call should be restricted to logged-in users and not only admins.
please read about “admin procedures” and try to understand how trpc works with that. Also you could’ve just put the conditions inside of the react query use mutation call
SeDemal
force-pushed
the
dns-hole-improve-admin-controls
branch
from
bf9044f
to
91d657b
Compare
Changed to protected procedure, but as mentioned in #1685 and as how the widget was initially changed, controlling network behaviour's is an admin procedure. The solution I'm adding is an extra to let normal users use it although they shouldn't be able to. |
The thing is just that admin procedure = admin can do it and protected = logged-in users, there is no point to do a protected procedure and then check if the user is an admin, just use an admin procedure. The normal users can still click the buttons but it will return an error when doing so |
Ok I might have not expressed it properly, I did at first only want admins to be able to use it to follow what was already done before, just improperly. I didn't know in my first draft about protected and admin procedure. |
|
Oooh okay makes sense. Then we make it admin only |
|
This will be better whenever we have a more fine grained permission system |
|
Ok, will do that, thanks :) |
SeDemal
force-pushed
the
dns-hole-improve-admin-controls
branch
3 times, most recently
from
ba1924e
to
4414c0d
Compare
SeDemal
force-pushed
the
dns-hole-improve-admin-controls
branch
from
4414c0d
to
21d5c84
Compare
…ee7babc by renovate (#17301) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/ajnart/homarr](https://togithub.com/ajnart/homarr) | patch | `0.14.3` -> `0.14.4` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>ajnart/homarr (ghcr.io/ajnart/homarr)</summary> ### [`v0.14.4`](https://togithub.com/ajnart/homarr/releases/tag/v0.14.4) [Compare Source](https://togithub.com/ajnart/homarr/compare/v0.14.3...v0.14.4) #### Deeper integration in Home Assistant Want to toggle your lights? Have a fun to switch on? Or maybe you want to send a reminder to your family? We've upgraded the existing entity state widget and added a new widget that support invoking automations on your Homeassistant. Homeassistant's vast library of integrations enable you to make complex workflow that can be easily started with a single click from Homarr:  #### Improved layout & performance for torrent widget We've improved the layout for smaller screens and significantly cut down the bandwidth required for the torrent widget. This should result in less lag and faster updating on your widget.  #### Renaming & duplicating boards We've heard you: boards can now be renamed / or duplicated. You don't need to mess with any files on the filesystem. #### JSON API We know that there are many advanced users who want to take better control of Homarr's capabilities. Therefore, we've added a JSON API that can be used to execute almost any action that you can from the WEB UI. We provide an Open API specification document that enables you to easily browse your API endpoints:  #### Fixed local paths in icon picker Previously, the local icons were hard to use and had the wrong path by default. We have fixed this problem and added the size of the file as an additional information. #### Availability of media requests [@​tancak](https://togithub.com/tancak) has contributed the displaying of availability information on requests:  ##### What's Changed - docs: updated dead installation links in README.md by [@​stark1tty](https://togithub.com/stark1tty) in [ajnart/homarr#1775 - refactor: improve torrent table design by [@​manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1786 - docs: fix documentation link URL after creating user by [@​StefanB7](https://togithub.com/StefanB7) in [ajnart/homarr#1796 - feat: add availability information about media requests by [@​tancak](https://togithub.com/tancak) in [ajnart/homarr#1794 - feature: trigger automations by [@​manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1799 - feature: [#​1765](https://togithub.com/ajnart/homarr/issues/1765) reduce transferred torrent data by [@​manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1798 - fix: database is not initialized inside the docker container by [@​anonysoul](https://togithub.com/anonysoul) in [ajnart/homarr#1806 - chore: increase version by [@​manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1811 - feature: improve admin security over dnshole controls by [@​Tagaishi](https://togithub.com/Tagaishi) in [ajnart/homarr#1686 - feature: rss improvements by [@​manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1810 - feature: board operations by [@​manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1800 - revert: [#​1714](https://togithub.com/ajnart/homarr/issues/1714) migrate to axios.get by [@​manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1819 - chore: new Crowdin updates by [@​ajnart](https://togithub.com/ajnart) in [ajnart/homarr#1772 - feature: add trpc openapi by [@​manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1818 - refactor: optimize imports by [@​manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1822 - chore: New Crowdin updates by [@​ajnart](https://togithub.com/ajnart) in [ajnart/homarr#1820 - fix: [#​1734](https://togithub.com/ajnart/homarr/issues/1734) fix local icons path by [@​manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1821 #### New Contributors - [@​stark1tty](https://togithub.com/stark1tty) made their first contribution in [ajnart/homarr#1775 - [@​StefanB7](https://togithub.com/StefanB7) made their first contribution in [ajnart/homarr#1796 - [@​tancak](https://togithub.com/tancak) made their first contribution in [ajnart/homarr#1794 - [@​anonysoul](https://togithub.com/anonysoul) made their first contribution in [ajnart/homarr#1806 **Full Changelog**: ajnart/homarr@v0.14.3...v0.14.4 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10pm on monday" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNDAuOSIsInVwZGF0ZWRJblZlciI6IjM3LjE0MC45IiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->
…ee7babc by renovate (truecharts#17301) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/ajnart/homarr](https://togithub.com/ajnart/homarr) | patch | `0.14.3` -> `0.14.4` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>ajnart/homarr (ghcr.io/ajnart/homarr)</summary> ### [`v0.14.4`](https://togithub.com/ajnart/homarr/releases/tag/v0.14.4) [Compare Source](https://togithub.com/ajnart/homarr/compare/v0.14.3...v0.14.4) #### Deeper integration in Home Assistant Want to toggle your lights? Have a fun to switch on? Or maybe you want to send a reminder to your family? We've upgraded the existing entity state widget and added a new widget that support invoking automations on your Homeassistant. Homeassistant's vast library of integrations enable you to make complex workflow that can be easily started with a single click from Homarr:  #### Improved layout & performance for torrent widget We've improved the layout for smaller screens and significantly cut down the bandwidth required for the torrent widget. This should result in less lag and faster updating on your widget.  #### Renaming & duplicating boards We've heard you: boards can now be renamed / or duplicated. You don't need to mess with any files on the filesystem. #### JSON API We know that there are many advanced users who want to take better control of Homarr's capabilities. Therefore, we've added a JSON API that can be used to execute almost any action that you can from the WEB UI. We provide an Open API specification document that enables you to easily browse your API endpoints:  #### Fixed local paths in icon picker Previously, the local icons were hard to use and had the wrong path by default. We have fixed this problem and added the size of the file as an additional information. #### Availability of media requests [@&truecharts#8203;tancak](https://togithub.com/tancak) has contributed the displaying of availability information on requests:  ##### What's Changed - docs: updated dead installation links in README.md by [@&truecharts#8203;stark1tty](https://togithub.com/stark1tty) in [ajnart/homarr#1775 - refactor: improve torrent table design by [@&truecharts#8203;manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1786 - docs: fix documentation link URL after creating user by [@&truecharts#8203;StefanB7](https://togithub.com/StefanB7) in [ajnart/homarr#1796 - feat: add availability information about media requests by [@&truecharts#8203;tancak](https://togithub.com/tancak) in [ajnart/homarr#1794 - feature: trigger automations by [@&truecharts#8203;manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1799 - feature: [#&truecharts#8203;1765](https://togithub.com/ajnart/homarr/issues/1765) reduce transferred torrent data by [@&truecharts#8203;manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1798 - fix: database is not initialized inside the docker container by [@&truecharts#8203;anonysoul](https://togithub.com/anonysoul) in [ajnart/homarr#1806 - chore: increase version by [@&truecharts#8203;manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1811 - feature: improve admin security over dnshole controls by [@&truecharts#8203;Tagaishi](https://togithub.com/Tagaishi) in [ajnart/homarr#1686 - feature: rss improvements by [@&truecharts#8203;manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1810 - feature: board operations by [@&truecharts#8203;manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1800 - revert: [#&truecharts#8203;1714](https://togithub.com/ajnart/homarr/issues/1714) migrate to axios.get by [@&truecharts#8203;manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1819 - chore: new Crowdin updates by [@&truecharts#8203;ajnart](https://togithub.com/ajnart) in [ajnart/homarr#1772 - feature: add trpc openapi by [@&truecharts#8203;manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1818 - refactor: optimize imports by [@&truecharts#8203;manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1822 - chore: New Crowdin updates by [@&truecharts#8203;ajnart](https://togithub.com/ajnart) in [ajnart/homarr#1820 - fix: [#&truecharts#8203;1734](https://togithub.com/ajnart/homarr/issues/1734) fix local icons path by [@&truecharts#8203;manuel-rw](https://togithub.com/manuel-rw) in [ajnart/homarr#1821 #### New Contributors - [@&truecharts#8203;stark1tty](https://togithub.com/stark1tty) made their first contribution in [ajnart/homarr#1775 - [@&truecharts#8203;StefanB7](https://togithub.com/StefanB7) made their first contribution in [ajnart/homarr#1796 - [@&truecharts#8203;tancak](https://togithub.com/tancak) made their first contribution in [ajnart/homarr#1794 - [@&truecharts#8203;anonysoul](https://togithub.com/anonysoul) made their first contribution in [ajnart/homarr#1806 **Full Changelog**: ajnart/homarr@v0.14.3...v0.14.4 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10pm on monday" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNDAuOSIsInVwZGF0ZWRJblZlciI6IjM3LjE0MC45IiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->
Category
Overview
Issue Number