maciejpi/nordabiz
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(auth): Restrict Integracje page to platform owner only
Some checks are pending
NordaBiz Tests / Unit & Integration Tests (push) Waiting to run
Details
NordaBiz Tests / E2E Tests (Playwright) (push) Blocked by required conditions
Details
NordaBiz Tests / Smoke Tests (Production) (push) Blocked by required conditions
Details
NordaBiz Tests / Send Failure Notification (push) Blocked by required conditions
Details

Browse Source 
- Hide Integracje link in user menu for non-owner users
- Add server-side access check on /konto/integracje route
- Add owner-only visual indicator on the link

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Maciej Pienczyn 2026-02-09 13:35:34 +01:00
parent 06c2619af4
commit e94f8eb38d
2 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
blueprints/auth/routes.py
View File

@ -846,11 +846,14 @@ def konto_blokady_dodaj():
@bp.route('/konto/integracje')
@login_required
def konto_integracje():
"""OAuth integrations page for company users.
"""OAuth integrations page - owner only.
Allows company users to connect their Google/Meta accounts
for enriched audit data (GBP reviews, Search Console, Facebook insights).
Allows connecting Google/Meta accounts for enriched audit data.
Restricted to platform owner (maciej.pienczyn@inpi.pl).
"""
if current_user.email != 'maciej.pienczyn@inpi.pl':
flash('Brak dostępu do tej strony.', 'error')
return redirect(url_for('auth.konto_dane'))
if not current_user.company_id:
flash('Musisz byc przypisany do firmy, aby korzystac z integracji.', 'info')
return redirect(url_for('auth.konto_dane'))

4
templates/base.html
View File

@ -1350,8 +1350,8 @@
</svg>
Moje konto
</a>
{% if current_user.company_id %}
<a href="{{ url_for('auth.konto_integracje') }}" class="user-menu-item">
{% if current_user.company_id and current_user.email == 'maciej.pienczyn@inpi.pl' %}
<a href="{{ url_for('auth.konto_integracje') }}" class="user-menu-item owner-only">
<svg width="16" height="16" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1"/>
</svg>