Dashboard API: allow access to ~/workspace/ for Ralph projects

2026-02-09 10:33:51 +00:00
parent af4bed4e98
commit b12eeaff96
1 changed files with 40 additions and 12 deletions
--- a/dashboard/api.py
+++ b/dashboard/api.py
@@ -110,10 +110,26 @@ class TaskBoardHandler(SimpleHTTPRequestHandler):
            path = data.get('path', '')
            content = data.get('content', '')
-            workspace = Path('/home/moltbot/clawd')
+            # Allow access to clawd and workspace
-            target = (workspace / path).resolve()
+            allowed_dirs = [
                Path('/home/moltbot/clawd'),
                Path('/home/moltbot/workspace')
            ]
-            if not str(target).startswith(str(workspace)):
+            # Try to resolve against each allowed directory
            target = None
            workspace = None
            for base in allowed_dirs:
                try:
                    candidate = (base / path).resolve()
                    if str(candidate).startswith(str(base)):
                        target = candidate
                        workspace = base
                        break
                except:
                    continue
            if target is None:
                self.send_json({'error': 'Access denied'}, 403)
                return
@@ -641,15 +657,27 @@ class TaskBoardHandler(SimpleHTTPRequestHandler):
        path = params.get('path', [''])[0]
        action = params.get('action', ['list'])[0]
-        # Security: only allow access within workspace
+        # Security: only allow access within allowed directories
-        workspace = Path('/home/moltbot/clawd')
+        allowed_dirs = [
-        try:
+            Path('/home/moltbot/clawd'),
-            target = (workspace / path).resolve()
+            Path('/home/moltbot/workspace')
-            if not str(target).startswith(str(workspace)):
+        ]
-                self.send_json({'error': 'Access denied'}, 403)
+        
-                return
+        # Try to resolve against each allowed directory
-        except:
+        target = None
-            self.send_json({'error': 'Invalid path'}, 400)
+        workspace = None
        for base in allowed_dirs:
            try:
                candidate = (base / path).resolve()
                if str(candidate).startswith(str(base)):
                    target = candidate
                    workspace = base
                    break
            except:
                continue
        if target is None:
            self.send_json({'error': 'Access denied'}, 403)
            return
        if action == 'list':