This is an automated email from the ASF dual-hosted git repository. wave pushed a commit to branch fix-auth-bypass-admin-role in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit f453a02111bae3c867b732f50c513af70b9cb1eb Author: Dave Fisher <[email protected]> AuthorDate: Thu Feb 26 14:42:34 2026 -0800 Fix auth bypass for admin via exceptions --- atr/util.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atr/util.py b/atr/util.py index 2fca6b09..0b774684 100644 --- a/atr/util.py +++ b/atr/util.py @@ -627,7 +627,7 @@ def is_user_viewing_as_admin(uid: str | None) -> bool: app = asfquart.APP if (not hasattr(app, "app_id")) or (not isinstance(app.app_id, str)): log.error("Cannot get valid app_id to read session for admin view check") - return True + return False cookie_id = app.app_id session_dict = quart.session.get(cookie_id, {}) @@ -635,7 +635,7 @@ def is_user_viewing_as_admin(uid: str | None) -> bool: return not is_downgraded except Exception: log.exception(f"Error checking admin downgrade session status for {uid}") - return True + return False def json_for_script_element(value: Any) -> markupsafe.Markup: --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
