Commit graph

22 commits

Author SHA1 Message Date
Seth Van Niekerk
911644531b
add allowed_networks to ADMIN_ONLY_PROPS 2026-05-01 09:14:30 -04:00
SergeantPanda
8afaa01184 security: Extended rate limiting to the session-auth login alias (POST /api/accounts/auth/login/). It now delegates entirely to TokenObtainPairView, inheriting its throttle, network access check, and audit logging, and returns JWT tokens instead of a session cookie (the session-based response was unusable since SessionAuthentication is not in DEFAULT_AUTHENTICATION_CLASSES). Both endpoints share the same "login" throttle scope, so attempts across either path count against the same per-IP limit.
Some checks are pending
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
2026-04-10 19:54:10 -05:00
SergeantPanda
fa9a7868ff security: proxy streaming endpoints (stream_ts, stream_xc, stream_vod, head_vod, stream_xc_movie, stream_xc_episode) use @permission_classes([AllowAny]) (access is controlled by the per-stream-type network allow-list inside the view body); the UserAgentViewSet, StreamProfileViewSet, CoreSettingsViewSet, and ProxySettingsViewSet gained get_permissions() methods mapping read actions to IsStandardUser and write actions to IsAdmin; and AuthViewSet.logout was updated to return [Authenticated()]. 2026-04-10 10:47:50 -05:00
SergeantPanda
b535f28ac5 security: Added rate limiting to the login endpoint (POST /api/accounts/token/) using DRF's built-in throttling. A LoginRateThrottle (3 requests/minute per IP, sliding window) is applied to the TokenObtainPairView. Repeated failed attempts from the same IP receive 429 Too Many Requests. 2026-04-09 21:46:50 -05:00
SergeantPanda
08545b8c92 security: Prevented users from setting xc_password (and other admin-managed keys) on their own account via the PATCH /api/accounts/users/me/ endpoint. 2026-04-09 21:31:38 -05:00
dekzter
a19be96ced fleshed out user limits and termination logic 2026-03-25 17:33:26 -04:00
SergeantPanda
d5aaa0277c security: Do not allow user to give themselves admin or super_user privileges. 2026-03-08 16:30:48 -05:00
Jeff Casimir
8fb88827ae Fix code review findings for navigation ordering PR
P1 (Critical):
- Replace undefined @swagger_auto_schema with @extend_schema
- Add custom_properties validation with size limits
- Add merge semantics in serializer update() to prevent data loss

P2 (Important):
- Add debouncing (800ms) for drag operations in NavOrderForm
- Add error handling with notifications for visibility toggle
- Use store getters in Sidebar instead of direct property access
- Cache hiddenNav before render loop

P3 (Nice-to-have):
- Add canHide: false to settings nav item
- Fix admin check to use >= instead of ==
- Fix ESLint unused variable warnings

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-08 16:28:29 -05:00
Jeff Casimir
edf81ef6c6 Add PATCH method to /me/ endpoint for user preferences
- Allow users to update their own profile via PATCH /api/accounts/users/me/
- Supports partial updates to custom_properties (including navOrder)
- Add comprehensive test coverage for the endpoint

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-08 16:25:47 -05:00
Matt Grutza
3ec62a3d52
Merge branch 'dev' into Feature/954-1004-user-account-management 2026-02-24 14:49:31 -06:00
None
f453380f5c Remove user account disable/enable UI (keep backend guards)
Removed the frontend UI exposure
while keeping backend guards as defensive measures.

Removed:
- frontend/src/components/forms/User.jsx — Account Enabled switch
- frontend/src/components/tables/UsersTable.jsx — Status column
- apps/accounts/api_views.py — is_active check in TokenRefreshView
- apps/accounts/tests.py — related tests
2026-02-22 20:02:08 -06:00
None
db318e4981 Fix #954: Superuser detection; Feature #1004: User account disable/enable
Bug #954: The initialize_superuser endpoint only checked is_superuser=True, missing admin accounts created via the API (user_level=10). This caused users to intermittently see the "Create Super User" page instead of login.

Feature #1004: Admins can now disable/enable user accounts. Disabled users are blocked from JWT login, token refresh, XC API access, and all
authenticated endpoints. The last active admin cannot be disabled.

Files changed:

Backend:
- apps/accounts/api_views.py — Superuser check uses user_level>=10; token refresh blocks disabled users
- apps/accounts/models.py — CustomUserManager ensures create_superuser() always sets user_level=10
- apps/accounts/serializers.py — Last-admin protection guard; respect is_active on user creation
- apps/accounts/tests.py — new tests covering superuser detection, token
 refresh blocking, last-admin protection, disabled user login/access
- apps/backups/api_views.py — Switched from DRF's IsAdminUser (checks is_staff) to app's IsAdmin (checks user_level) on all 8 endpoints
- apps/backups/tests.py — new tests verifying user_level-based admin permission on backup endpoints
- apps/output/views.py — is_active check on xc_get_user(), xc_movie_stream(), xc_series_stream()
- apps/proxy/ts_proxy/views.py — is_active check on stream_xc()
- core/api_views.py — Admin notification filter uses user_level>=10
- core/developer_notifications.py — Admin checks use user_level>=10

Frontend:
- frontend/src/App.jsx — Null-safe superuser existence check
- frontend/src/components/forms/User.jsx — Account Enabled switch with
  self-disable prevention and tooltip
- frontend/src/components/tables/UsersTable.jsx — Status column (Active/Disabled badge)
2026-02-22 18:05:02 -06:00
dekzter
aece3367ce backend work for api key authentication 2026-02-21 13:45:07 -05:00
dekzter
24f812dc4d initial connect feature 2026-02-08 09:29:22 -05:00
SergeantPanda
5364123745 - Swagger/OpenAPI Migration: Migrated from drf-yasg (OpenAPI 2.0) to drf-spectacular (OpenAPI 3.0) for API documentation. This provides:
- Native Bearer token authentication support in Swagger UI - users can now enter just the JWT token and the "Bearer " prefix is automatically added
  - Modern OpenAPI 3.0 specification compliance
  - Better auto-generation of request/response schemas
  - Improved documentation accuracy with serializer introspection
2026-01-27 13:33:33 -06:00
SergeantPanda
cb1953baf2 Enhancement: Implement comprehensive logging for user authentication events and network access restrictions 2025-11-21 10:50:48 -06:00
SergeantPanda
dfaae6e617 Enhance UserViewSet queryset to prefetch related channel_profiles for improved performance 2025-09-14 19:47:40 -05:00
SergeantPanda
ac07a5217f Set last_login when successful login occurs. 2025-06-28 08:55:07 -05:00
dekzter
3f445607e0 looooots of updates for user-management, initial commit of access control 2025-05-31 18:01:46 -04:00
dekzter
74d58515d0 user management, user levels, user level channel access 2025-05-18 11:19:34 -04:00
Dispatcharr
814d6a6cda Added Super User Creator
Added creator
Corrected license in swagger
2025-03-03 14:57:38 -06:00
Dispatcharr
8edb743ebd Initial commit 2025-02-18 11:14:09 -06:00