Conversation
…HSA-9mjc-6fp2-hm9v) Agent-Logs-Url: https://github.com/evroon/bracket/sessions/574ade56-e0d5-42b0-ab73-ec7a6f383763 Co-authored-by: evroon <11857441+evroon@users.noreply.github.com>
Deploying bracket-docs with
|
| Latest commit: |
d2c7eeb
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://073fc285.bracket-docs.pages.dev |
| Branch Preview URL: | https://copilot-fix-missing-dashboar.bracket-docs.pages.dev |
Copilot created this pull request from a session on behalf of
evroon
April 14, 2026 08:29
View session
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #1660 +/- ##
==========================================
+ Coverage 94.75% 94.80% +0.05%
==========================================
Files 120 120
Lines 4381 4387 +6
==========================================
+ Hits 4151 4159 +8
+ Misses 230 228 -2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the missing
dashboard_publiccheck security vulnerability (GHSA-9mjc-6fp2-hm9v).Root cause
The
user_authenticated_or_public_dashboarddependency inauth.pyonly verified that the tournament existed in the database, but never checked whetherdashboard_public = True. This allowed unauthenticated users to access sensitive tournament data on the following endpoints even when the tournament was not publicly shared:GET /tournaments/{tournament_id}(partially protected by an explicit post-dependency check)GET /tournaments/{tournament_id}/courtsGET /tournaments/{tournament_id}/teamsGET /tournaments/{tournament_id}/rankingsGET /tournaments/{tournament_id}/stagesChanges
backend/bracket/routes/auth.py: Addednot tournaments_fetched[0].dashboard_publicto the check inuser_authenticated_or_public_dashboard. Unauthenticated requests to a tournament withdashboard_public=Falsenow receive a 401 response.backend/bracket/routes/tournaments.py: Removed the now-redundant explicitdashboard_publiccheck inget_tournament(the dependency handles it now).backend/tests/integration_tests/api/tournaments_test.py: Addedtest_non_public_tournament_endpoints_blocked_for_unauthenticated_usersto assert that all affected endpoints return 401 for unauthenticated requests whendashboard_public=False.Note:
user_authenticated_or_public_dashboard_by_endpoint_name(used for theGET /tournaments?endpoint_name=route) was not affected — it delegates tosql_get_tournament_by_endpoint_namewhich already includesAND dashboard_public IS TRUEin its SQL query.