Skip to content

Commit 8993d67

Browse files
lane711claude
andauthored
fix: restrict admin panel access to admin role by default (#791) (#795)
Add global requireAuth + requireRole middleware for all /admin/* routes so only users with the admin role can access the admin panel. Previously any authenticated user could reach the full admin UI. Also adds a configurable `adminAccessRoles` option to SonicJSConfig for developers who need to grant admin access to additional roles. Closes #791 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
1 parent d9da9f8 commit 8993d67

1 file changed

Lines changed: 7 additions & 2 deletions

File tree

packages/core/src/app.ts

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -112,6 +112,10 @@ export interface SonicJSConfig {
112112
afterAuth?: Array<(c: Context, next: () => Promise<void>) => Promise<void>>
113113
}
114114

115+
// Admin access control
116+
// Roles allowed to access the /admin panel. Defaults to ['admin'].
117+
adminAccessRoles?: string[]
118+
115119
// App metadata
116120
version?: string
117121
name?: string
@@ -192,9 +196,10 @@ export function createSonicJSApp(config: SonicJSConfig = {}): SonicJSApp {
192196
}
193197
}
194198

195-
// Admin panel: require authentication and admin role
199+
// Admin panel access control: require authentication and admin role by default
200+
const adminRoles = config.adminAccessRoles || ['admin']
196201
app.use('/admin/*', requireAuth())
197-
app.use('/admin/*', requireRole(['admin']))
202+
app.use('/admin/*', requireRole(adminRoles))
198203

199204
// Plugin dynamic menu items for admin sidebar
200205
app.use('/admin/*', pluginMenuMiddleware())

0 commit comments

Comments
 (0)