@@ -21,6 +21,7 @@ import (
2121type IAuth interface {
2222 IsAdmin (c * gin.Context ) bool
2323 IsLoggedIn (c * gin.Context ) bool
24+ IsWizardMode (c * gin.Context ) bool
2425}
2526
2627// Auth API
@@ -203,16 +204,17 @@ func (a *Auth) DisplayUserTable() {
203204 log .Println (users )
204205}
205206
206- // IsAdmin returns true if the user logged in is the admin user
207- // First tries for a session token, and if that fails falls back on an auth token
207+ // IsAdmin returns true if the user logged in is the admin user.
208+ // First tries for a session token, and if that fails falls back on an auth token.
209+ //
210+ // Returns false when no admin user exists in the DB. Pre-admin handlers that
211+ // the install wizard genuinely needs (e.g. UploadFile, UpdateSettings) should
212+ // also accept IsWizardMode as an exemption.
208213func (a * Auth ) IsAdmin (c * gin.Context ) bool {
209-
210- // if there is no admin user in the db, then we can't have an admin user, so we'll just return true for now, mostly
211- // so the wizard can upload images
212214 var adminUser AdminUser
213215 err := (* a .db ).First (& adminUser ).Error
214216 if err != nil {
215- return true
217+ return false
216218 }
217219
218220 session := sessions .Default (c )
@@ -224,9 +226,6 @@ func (a *Auth) IsAdmin(c *gin.Context) bool {
224226 }
225227 }
226228
227- //debug
228- //a.DisplayUserTable()
229-
230229 // first make sure the access token matches a logged in user
231230 var existingUser BlogUser
232231 err = (* a .db ).Where ("access_token = ?" , token ).First (& existingUser ).Error
@@ -241,6 +240,17 @@ func (a *Auth) IsAdmin(c *gin.Context) bool {
241240 return true
242241}
243242
243+ // IsWizardMode returns true when the install wizard has not yet completed,
244+ // detected by the absence of any row in the admin_users table. The wizard's
245+ // own pre-admin endpoints (image upload, initial settings) gate on this so
246+ // that fresh-install setup can complete before an admin user exists, without
247+ // IsAdmin itself being permissive to anonymous traffic.
248+ func (a * Auth ) IsWizardMode (c * gin.Context ) bool {
249+ var adminUser AdminUser
250+ err := (* a .db ).First (& adminUser ).Error
251+ return err != nil
252+ }
253+
244254// IsLoggedIn Returns true if the user is logged in, false otherwise
245255func (a * Auth ) IsLoggedIn (c * gin.Context ) bool {
246256 session := sessions .Default (c )
0 commit comments