Reject auth actions other than login/register

author: Frederick Yin <fkfd@fkfd.me> 2022-02-02 23:22:50 +0800
committer: Frederick Yin <fkfd@fkfd.me> 2022-02-02 23:22:50 +0800
commit: dd160916a8f1a9028d95d7e0344d40544078151f (patch)
tree: f54617f785c3d5d18d69569bfe8b638f248d2bec
parent: ac73e8544697a63370b4728188d59df809faf197 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/jimbrella/auth.py b/jimbrella/auth.py
index c7e2fa3..39d355b 100644
--- a/jimbrella/auth.py
+++ b/jimbrella/auth.py
@@ -38,19 +38,22 @@ def auth(action):
 
         if not check_password_hash(user["password"], password):
             return show_error("login", "Incorrect password. Sorry.")
-    else:
+    elif action == "register":
         if not ACCEPT_NEW_USERS:
             return show_error("register", "Sorry, but user registrations are closed.")
         try:
             users.register(username, generate_password_hash(password), "en-US")
         except UsernameTakenError as e:
             return show_error("register", e.message)
+    else:
+        abort(400)
 
     # give access
     session.clear()
     session["username"] = username
     return redirect(url_for("admin.index"))
 
+
 @bp.route("/logout")
 def logout():
     session.pop("username", None)
author	Frederick Yin <fkfd@fkfd.me>	2022-02-02 23:22:50 +0800
committer	Frederick Yin <fkfd@fkfd.me>	2022-02-02 23:22:50 +0800
commit	dd160916a8f1a9028d95d7e0344d40544078151f (patch)
tree	f54617f785c3d5d18d69569bfe8b638f248d2bec
parent	ac73e8544697a63370b4728188d59df809faf197 (diff)