fix: require_privilege 500s on a non-dict privileges blob from auth.json (#1693)

2026-06-03 05:37:54 +01:00
parent 933c461f38
commit f0b172020e
2 changed files with 38 additions and 0 deletions
--- a/src/auth_helpers.py
+++ b/src/auth_helpers.py
@@ -107,6 +107,8 @@ def require_privilege(request: Request, key: str) -> str:
        privs = auth_mgr.get_privileges(user) or {}
    except Exception:
        return user
+    if not isinstance(privs, dict):
+        privs = {}
    # True = permitted; missing key defaults to permitted (unknown privileges
    # fail open — the UI gates display-side).
    if not privs.get(key, True):