odysseus/routes at e3ecdd32072e3a4ecd1bb86dfbfc7d069d29a28c - odysseus - Gitea: Git with a cup of tea

Salastil/odysseus

mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-28 15:45:22 -04:00

Files

T

History

Michael e3ecdd3207 fix(security): gate codex cookbook routes behind admin check for cookie sessions (#4554 )

The Codex cookbook bridge authorized cookie sessions with require_user()
only, allowing non-admin accounts to read cookbook task state, server
topology, task logs, tmux sessions, and model presets. The stop/adopt
routes also execute local or SSH-backed tmux commands.

Add _require_cookbook_scope() that enforces require_admin() for
cookie-session callers while preserving the existing API-token scope
checks. Apply it to all nine /api/codex/cookbook/* routes.

Fixes #4542

Co-authored-by: michaelxer <michaelxer@users.noreply.github.com>

2026-06-27 14:09:32 +01:00

..

__init__.py

Odysseus v1.0

2026-05-31 23:58:26 +09:00

_validators.py

fix(hwfit): validate remote SSH detection targets (#3718 )

2026-06-11 00:43:49 +02:00

admin_wipe_routes.py

refactor(constants): single source of truth for data dir (#3368 )

2026-06-08 09:58:52 +02:00

api_token_routes.py

fix(api): normalize non-object JSON bodies to empty dict in token PATCH (#3976 )

2026-06-15 18:05:15 +01:00

assistant_routes.py

fix(auth): centralize password and username validation constants (#4120 )

2026-06-16 09:52:15 +02:00

auth_routes.py

fix(auth): tie remember-me cookie lifetime to TOKEN_TTL (#4472 )

2026-06-18 21:15:48 +02:00

backup_routes.py

fix: backup import dropping a user's skill on cross-tenant title/id collision (#2057 )

2026-06-09 08:04:22 +02:00

calendar_routes.py

Harden CalDAV write-back with retries (#1193 )

2026-06-15 15:59:31 +09:00

chat_helpers.py

Merge origin/dev into main

2026-06-21 11:08:50 +00:00

chat_routes.py

fix(security): redact credential-bearing URLs and PII from logs (#4750 )

2026-06-22 23:12:39 +02:00

chatgpt_subscription_routes.py

feat: add ChatGPT Subscription provider (#2876 )

2026-06-08 10:19:18 +02:00

cleanup_routes.py

Odysseus v1.0

2026-05-31 23:58:26 +09:00

codex_routes.py

fix(security): gate codex cookbook routes behind admin check for cookie sessions (#4554 )

2026-06-27 14:09:32 +01:00

compare_routes.py

fix(endpoint): scope secondary endpoint lookups by owner

2026-06-08 11:51:55 +01:00

contacts_routes.py

fix(security): redact credential-bearing URLs and PII from logs (#4750 )

2026-06-22 23:12:39 +02:00

cookbook_helpers.py

fix(cookbook): treat local Windows as Windows for serve commands (#3975 )

2026-06-26 13:13:01 +01:00

cookbook_output.py

fix(cookbook): report dead finished downloads as completed instead of stopped (#4025 )

2026-06-15 15:26:55 +09:00

cookbook_routes.py

fix(cookbook): treat local Windows as Windows for serve commands (#3975 )

2026-06-26 13:13:01 +01:00

copilot_routes.py

feat: add ChatGPT Subscription provider (#2876 )

2026-06-08 10:19:18 +02:00

device_flow.py

feat: add ChatGPT Subscription provider (#2876 )

2026-06-08 10:19:18 +02:00

diagnostics_routes.py

feat(ui): add real-time diagnostic logs console (#974 )

2026-06-15 10:32:51 +02:00

document_helpers.py

fix: document read fails with 403 when auth is disabled (#4623 )

2026-06-22 21:01:11 +02:00

document_routes.py

fix: document read fails with 403 when auth is disabled (#4623 )

2026-06-22 21:01:11 +02:00

editor_draft_routes.py

Ignore invalid editor draft payloads (#1533 )

2026-06-03 14:07:03 +09:00

email_helpers.py

Merge origin/dev into main

2026-06-21 11:08:50 +00:00

email_pollers.py

fix: email poller marks calendar extraction processed on LLM failure (#4622 )

2026-06-23 20:32:30 +02:00

email_routes.py

fix(email): validate IMAP/SMTP ports instead of crashing with 500 (#4464 )

2026-06-26 20:32:56 +02:00

embedding_routes.py

feat(paths): abstract runtime path logic for frozen distribution packages (#969 )

2026-06-15 17:44:10 +01:00

emoji_routes.py

refactor(constants): single source of truth for data dir (#3368 )

2026-06-08 09:58:52 +02:00

font_routes.py

Keep compact font family names together (#1263 )

2026-06-03 14:24:30 +09:00

gallery_helpers.py

fix(gallery): fail closed for null-user owner scope (#3613 )

2026-06-09 20:20:21 +02:00

gallery_routes.py

fix(gallery): confine gallery image path resolution (#4352 )

2026-06-16 03:28:09 +01:00

history_routes.py

fix(sessions): copy message metadata when forking a session (#3409 )

2026-06-08 20:49:15 +02:00

hwfit_routes.py

CodeQL hardening for cookbook sync

2026-06-22 02:39:18 +00:00

mcp_routes.py

fix(mcp): share oauth redirect URI (#4087 )

2026-06-15 15:15:53 +09:00

memory_routes.py

fix(routes): normalize session owner fallback helpers (#4313 )

2026-06-16 06:07:42 +01:00

model_routes.py

fix(model-routes): harden _probe_endpoint against malformed model-list responses (#4789 )

2026-06-24 19:05:31 +02:00

note_routes.py

fix(security): redact credential-bearing URLs and PII from logs (#4750 )

2026-06-22 23:12:39 +02:00

personal_routes.py

fix(personal): scope RAG file delete to the caller's own upload dir (#4602 )

2026-06-20 00:50:15 +02:00

prefs_routes.py

refactor(constants): single source of truth for data dir (#3368 )

2026-06-08 09:58:52 +02:00

preset_routes.py

fix(presets): scope expand-prompt model resolution to owner (#3477 )

2026-06-08 21:12:02 +02:00

research_routes.py

refactor(auth): centralize the internal-tool pseudo-username into a constant (#4333 )

2026-06-16 13:13:00 +02:00

search_routes.py

Odysseus v1.0

2026-05-31 23:58:26 +09:00

session_routes.py

fix(auth): clean up rename and null-owner ownership (#4340 )

2026-06-16 03:33:02 +01:00

shell_routes.py

fix: Real-ESRGAN install + Cookbook deps-panel crash on the Python 3.14 image (#4694 )

2026-06-23 19:31:00 +02:00

signature_routes.py

Constrain signature uploads to PNG data (#2844 )

2026-06-05 13:17:43 +02:00

skills_routes.py

Skills test: set explicit max_tokens=4096 instead of 0

2026-06-13 23:09:15 +09:00

stt_routes.py

refactor(uploads): centralize upload byte-limits in upload_limits.py (#3364 ) (#3518 )

2026-06-09 01:24:30 +02:00

task_routes.py

refactor(auth): centralize the internal-tool pseudo-username into a constant (#4333 )

2026-06-16 13:13:00 +02:00

tts_routes.py

Odysseus v1.0

2026-05-31 23:58:26 +09:00

upload_routes.py

Cookbook launch and gallery upload fixes

2026-06-22 01:49:15 +00:00

vault_routes.py

refactor(constants): single source of truth for data dir (#3368 )

2026-06-08 09:58:52 +02:00

webhook_routes.py

fix(webhooks): route public emitters through fire_and_forget (#3964 ) (#4336 )

2026-06-16 00:41:45 +02:00

workspace_routes.py

feat(agent): confine agent file/shell tools to a selectable workspace (#3665 )

2026-06-11 18:17:54 +02:00