jamey/berrypod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

fix ThemeHook gate to validate session token not just presence

Browse Source 
Check socket.assigns.current_scope (validated by mount_current_scope)
instead of raw session token. Prevents stale/invalid session cookies
from bypassing the site-live gate.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
jamey
2026-02-12 14:46:07 +00:00
parent 2cc8c4a9cb
commit 9251beba68
2 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/simpleshop_theme_web/theme_hook.ex
View File

@@ -42,12 +42,13 @@ defmodule SimpleshopThemeWeb.ThemeHook do
{:cont, socket}
end
def on_mount(:require_site_live, _params, session, socket) do
def on_mount(:require_site_live, _params, _session, socket) do
cond do
Settings.site_live?() ->
{:cont, socket}
session["user_token"] ->
# mount_current_scope runs first, so current_scope is already validated
socket.assigns[:current_scope] && socket.assigns.current_scope.user ->
{:cont, socket}
not SimpleshopTheme.Accounts.has_admin?() ->