Checklist
Describe the bug
The AJAX lookup endpoint (/{identity}/ajax/lookup) does not require any kind of authentication. This opens the possibility for anyone to view your data with a request URL like:
http://localhost:8000/admin/membership/ajax/lookup?name=user&term=test
As a workaround, I wrapped the endpoint with login_required. Of course, it's not the proper fix because this decorator is intended for HTML requests.
from sqladmin import Admin
from sqladmin.authentication import login_required
class CustomAdmin(Admin):
# adds missing authentication to the ajax lookup endpoint
@login_required
async def ajax_lookup(self, *args, **kwargs):
return await super().ajax_lookup(*args, **kwargs)Steps to reproduce the bug
No response
Expected behavior
No response
Actual behavior
No response
Debugging material
No response
Environment
MacOS, Python 3.13. SQLAdmin 0.23.0
Additional context
No response
Checklist
master.Describe the bug
The AJAX lookup endpoint (
/{identity}/ajax/lookup) does not require any kind of authentication. This opens the possibility for anyone to view your data with a request URL like:As a workaround, I wrapped the endpoint with
login_required. Of course, it's not the proper fix because this decorator is intended for HTML requests.Steps to reproduce the bug
No response
Expected behavior
No response
Actual behavior
No response
Debugging material
No response
Environment
MacOS, Python 3.13. SQLAdmin 0.23.0
Additional context
No response