Admin panel available to me (a non-admin)

[kwilcox]

I logged into the providers website to complete and create a new deployment and noticed a bright green "Admin" button at the top I never noticed before. I didn't start pressing buttons. Hopefully the buttons on the page don't work and authorization is handled elsewhere. Would be best if this view wasn't presented to a "non admin" at all.

[benjwadams]

Thanks for reporting this. I have found the cause of this issue and will issue a post-mortem briefly. In the interim, I've downgraded the version to one that does not have this issue.

[benjwadams]

Essentially, a number of libraries were upgraded as part of migration to Python 3 due to the Python 2 EOL back in January. The usual stuff like unicode and standard library changes were addressed.

A number of third party library changes also occurred. Some of the libraries had not been updated in quite some time. The Flask-Login library in particular had a number of code interface changes that were not backwards compatible. Namely, there were a number of is_{} methods related to checking a user's logged in status that changed from method calls to properties. These were is_authenticated, is_anonymous, and is_active. is_admin was included in the user model, but was not handled by Flask-Login and had its parentheses removed like the aforementioned methods. Calling it sans parentheses just returned the function object which returned a truthy value when certain users should not have been able to interact with the admin interface. This has been addressed by making is_admin a property to bring it in line with the other is_{} functions provided by Flask-Login.

[benjwadams]

Adding some unit/integration test coverage is on the agenda for the DAC once some remaining libraries get updated or replaced so that we can ensure critical functionality is working as intended.