Security: disallow API remote-user auth if disabled #6739

shamoon · 2024-05-15T19:54:27Z

Proposed change

Bug fix: non-breaking change which fixes an issue.
New feature / Enhancement: non-breaking change which adds functionality. Please read the important note above.
Breaking change: fix or feature that would cause existing functionality to not work as expected.
Documentation only.
Other. Please explain: Security

I have read & agree with the contributing guidelines.
If applicable, I have included testing coverage for new code in this PR, for backend and / or front-end changes.
If applicable, I have tested my code for new features & regressions on both mobile & desktop devices, using the latest version of major browsers.
If applicable, I have checked that all tests pass, see documentation.
I have run all pre-commit hooks, see documentation.
I have made corresponding changes to the documentation as needed.
I have checked my modifications for any breaking changes.

shamoon requested a review from a team as a code owner May 15, 2024 19:54

paperless-ngx-secretary bot added backend non-trivial Requires approval by several team members labels May 15, 2024

shamoon added this to the Next Release milestone May 15, 2024

github-actions bot added the bug Bug report or a Bug-fix label May 15, 2024

shamoon enabled auto-merge (squash) May 15, 2024 19:55

stumpylog approved these changes May 15, 2024

View reviewed changes

shamoon added 4 commits May 15, 2024 13:11

Security: disallow requests to api if setting disabled

273dc24

Add some logging to test

f62d4da

Try to manually change settings in test

113c7fe

use override_settings

1652b91

shamoon force-pushed the fix-GHSA-72w4-hxqq-c256 branch from 5073457 to 1652b91 Compare May 15, 2024 20:11

shamoon merged commit ed05b40 into dev May 15, 2024
25 checks passed

shamoon deleted the fix-GHSA-72w4-hxqq-c256 branch May 15, 2024 20:18