You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Jobs UI allows anyone to see the jobs list & run a job ID. There is no authentication scheme to protect the job control. This is a major security hole.
The real problem is APScheduler.init_app() always adds Jobs UI endpoints. Please, add a flag to the constructor & init_app methods so that the Job UI can be left out of the Flask routes (I recommend this as the default).
NOTE:
For now, I am overriding the method to ignore __load_views() so that it doesn't make the routes.
The text was updated successfully, but these errors were encountered:
The Jobs UI allows anyone to see the jobs list & run a job ID. There is no authentication scheme to protect the job control. This is a major security hole.
The real problem is APScheduler.init_app() always adds Jobs UI endpoints. Please, add a flag to the constructor & init_app methods so that the Job UI can be left out of the Flask routes (I recommend this as the default).
NOTE:
For now, I am overriding the method to ignore __load_views() so that it doesn't make the routes.
The text was updated successfully, but these errors were encountered: