Removes insecure clear_inactive_users endpoint (#85)

2020-09-29 22:18:25 +02:00 · 2020-09-29 22:18:25 +02:00 · fd1195ffaa
commit fd1195ffaa
parent c5dd461bdc
2 changed files with 4 additions and 3 deletions
--- a/app/routes.py
+++ b/app/routes.py
@ -455,7 +455,7 @@ def settings():
    }
    return render_template('settings.html', info=instanceInfo, config=config, admin=current_user.is_admin)

-@app.route('/clear_inactive_users/<phash>')
+'''@app.route('/clear_inactive_users/<phash>')
@login_required
 def clear_inactive_users(phash):
    ahash = User.query.filter_by(username=config['admin_user']).first().password_hash
@ -474,7 +474,7 @@ def clear_inactive_users(phash):
                db.session.commit()
    else:
        flash("You must be admin for this action")
-    return redirect(request.referrer)
+    return redirect(request.referrer)'''

@app.route('/export')
@login_required
--- a/app/templates/settings.html
+++ b/app/templates/settings.html
@ -79,6 +79,7 @@
            <div class="control-me"><a href="/deleteme"><button class="ui red button">Delete account</button></a></div>   
        </div>

+        <!--
        {% if admin %}
        <div class="ui segment">
            <h2 class="ui centered header">
@ -87,7 +88,7 @@
            <label for="toggle">Delete accounts with last login older than {{config.max_old_user_days}} days.</label> <br>
            <a href="/clear_inactive_users/{{current_user.password_hash}}"><button class="ui red button">Delete</button></a></div>   
        </div>
-        {% endif %}
+        {% endif %}-->

        <!-- INSTANCE INFO -->
        <h1 class="ui header">{{config.serverName}} Info</h1>