Admin mode does not prevent access to sidekiq admin UI
Only relevant when feature flag for admin mode active
The route for the sidekiq admin UI under /admin/sidekiq
is protected by a constraint that calls User#admin?
, so it bypasses the admin mode state in config/routes/sidekiq.rb:
constraint = lambda { |request| request.env['warden'].authenticate? && request.env['warden'].user.admin? }
constraints constraint do
mount Sidekiq::Web, at: '/admin/sidekiq', as: :sidekiq
end
I did initial tests locally with something like:
constraint = lambda do |request|
if Feature.enabled?(:user_mode_in_session)
return request.env['warden'].authenticate? && Gitlab::Auth::CurrentUserMode.new(request.env['warden'].user).admin_mode?
end
request.env['warden'].authenticate? && request.env['warden'].user.admin?
end
This works but unfortunately just shows the administrator a 404 when accessing the route, with no indication that admin mode is the issue. We might approach it the same way as accessing the /admin
endpoint and redirecting to automatically re-login, though I'm not sure if that is possible with the rails route constraints code above.
Thanks to my colleague @fh1ch for the tip!
Edited by Diego Louzán