fix: restrict housekeeping security check to admins

redimp · redimp · commit 30be0d24ed70 · 2026-05-17T10:36:44.000+02:00
Guard the /-/housekeeping/security-check endpoint with a
has_permission("ADMIN") check and hide the corresponding panel in
the housekeeping template from non-admin users to avoid leaking
configuration details and active plugin names.
diff --git a/otterwiki/templates/tools/housekeeping.html b/otterwiki/templates/tools/housekeeping.html
@@ -87,6 +87,7 @@ <h3 class="card-title">Broken WikiLinks</h3>
 </div>
 {% endif %}
 {#-#}
+{% if has_permission("ADMIN") %}
 <div class="card m-auto m-lg-20">
 <div class="mw-full">
 <h3 class="card-title">Security Check</h3>
@@ -115,6 +116,7 @@ <h3 class="card-title">Security Check</h3>
 </div>
 </div>
 </div>
+{% endif %}
 {#-#}
 {% endblock %}{# content #}
 {% block js %}
diff --git a/otterwiki/views.py b/otterwiki/views.py
@@ -217,8 +217,12 @@ def housekeeping():
 @app.route("/-/housekeeping/security-check", methods=["GET"])
 @login_required
 def security_check():
+    from otterwiki.auth import has_permission
     from otterwiki.security_check import run_backend_checks
 
+    if not has_permission("ADMIN"):
+        abort(403)
+
     results = run_backend_checks()
     return jsonify(results=results)
 
