From fd1195ffaa696332b7e817e811b499fd34572123 Mon Sep 17 00:00:00 2001
From: pluja <github_pluja@r3d.red>
Date: Tue, 29 Sep 2020 22:18:25 +0200
Subject: [PATCH] Removes insecure clear_inactive_users endpoint (#85)

---
 app/routes.py               | 4 ++--
 app/templates/settings.html | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/routes.py b/app/routes.py
index 0326912..dda3854 100644
--- a/app/routes.py
+++ b/app/routes.py
@@ -455,7 +455,7 @@ def settings():
     }
     return render_template('settings.html', info=instanceInfo, config=config, admin=current_user.is_admin)
 
-@app.route('/clear_inactive_users/<phash>')
+'''@app.route('/clear_inactive_users/<phash>')
 @login_required
 def clear_inactive_users(phash):
     ahash = User.query.filter_by(username=config['admin_user']).first().password_hash
@@ -474,7 +474,7 @@ def clear_inactive_users(phash):
                 db.session.commit()
     else:
         flash("You must be admin for this action")
-    return redirect(request.referrer)
+    return redirect(request.referrer)'''
 
 @app.route('/export')
 @login_required
diff --git a/app/templates/settings.html b/app/templates/settings.html
index e5cf42d..e0fcfc9 100644
--- a/app/templates/settings.html
+++ b/app/templates/settings.html
@@ -79,6 +79,7 @@
             <div class="control-me"><a href="/deleteme"><button class="ui red button">Delete account</button></a></div>   
         </div>
 
+        <!--
         {% if admin %}
         <div class="ui segment">
             <h2 class="ui centered header">
@@ -87,7 +88,7 @@
             <label for="toggle">Delete accounts with last login older than {{config.max_old_user_days}} days.</label> <br>
             <a href="/clear_inactive_users/{{current_user.password_hash}}"><button class="ui red button">Delete</button></a></div>   
         </div>
-        {% endif %}
+        {% endif %}-->
 
         <!-- INSTANCE INFO -->
         <h1 class="ui header">{{config.serverName}} Info</h1>