From dd160916a8f1a9028d95d7e0344d40544078151f Mon Sep 17 00:00:00 2001
From: Frederick Yin <fkfd@fkfd.me>
Date: Wed, 2 Feb 2022 23:22:50 +0800
Subject: Reject auth actions other than login/register

---
 jimbrella/auth.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'jimbrella')

diff --git a/jimbrella/auth.py b/jimbrella/auth.py
index c7e2fa3..39d355b 100644
--- a/jimbrella/auth.py
+++ b/jimbrella/auth.py
@@ -38,19 +38,22 @@ def auth(action):
 
         if not check_password_hash(user["password"], password):
             return show_error("login", "Incorrect password. Sorry.")
-    else:
+    elif action == "register":
         if not ACCEPT_NEW_USERS:
             return show_error("register", "Sorry, but user registrations are closed.")
         try:
             users.register(username, generate_password_hash(password), "en-US")
         except UsernameTakenError as e:
             return show_error("register", e.message)
+    else:
+        abort(400)
 
     # give access
     session.clear()
     session["username"] = username
     return redirect(url_for("admin.index"))
 
+
 @bp.route("/logout")
 def logout():
     session.pop("username", None)
-- 
cgit v1.2.3