tenseleyflow/shithub / 9d2664d

Browse files

S34: declare AdminMounter + register before lifecycle

Authored by espadonne
SHA
9d2664dd8bb6914ea4ae67a34805eb5ab9064190
Parents
d526321
Tree
6358932

1 changed file

StatusFile+-
M internal/web/handlers/handlers.go 7 0
internal/web/handlers/handlers.gomodified
@@ -120,6 +120,10 @@ type Deps struct {
120120
 	// OrgInvitationsMounter registers /invitations/{token} +
121121
 	// accept/decline. RequireUser at the wiring layer.
122122
 	OrgInvitationsMounter func(chi.Router)
123
+	// AdminMounter, when non-nil, registers /admin/* routes (S34).
124
+	// The mounter wraps the handler chain in RequireUser +
125
+	// RequireSiteAdmin so non-admins receive 404, not 403.
126
+	AdminMounter func(chi.Router)
123127
 	// GitHTTPMounter, when non-nil, registers the smart-HTTP git routes
124128
 	// (`*.git/info/refs`, `git-upload-pack`, `git-receive-pack`). MUST
125129
 	// land in a route group that bypasses CSRF, response compression,
@@ -288,6 +292,9 @@ func RegisterChi(r *chi.Mux, deps Deps) (*chi.Mux, middleware.PanicHandler, http
288292
 		// Lifecycle danger-zone + transfers + restore. Order: after
289293
 		// RepoHome so explicit settings paths are matched first, before
290294
 		// Profile's /{username} catch-all.
295
+		if deps.AdminMounter != nil {
296
+			deps.AdminMounter(r)
297
+		}
291298
 		if deps.RepoLifecycleMounter != nil {
292299
 			deps.RepoLifecycleMounter(r)
293300
 		}