mirror/bracket
1
0
Fork 0
mirror of https://github.com/evroon/bracket.git synced 2026-04-18 06:17:04 -04:00
Code Issues Packages Projects Releases Wiki Activity
1,321 Commits 8 Branches 41 Tags
master
Commit Graph

66 Commits

Author SHA1 Message Date
Copilot
1044914a48 fix: enforce dashboard_public check for unauthenticated API access (GHSA-9mjc-6fp2-hm9v) (#1660) 
## Summary

Fixes the missing `dashboard_public` check security vulnerability
(GHSA-9mjc-6fp2-hm9v).

### Root cause

The `user_authenticated_or_public_dashboard` dependency in `auth.py`
only verified that the tournament existed in the database, but never
checked whether `dashboard_public = True`. This allowed unauthenticated
users to access sensitive tournament data on the following endpoints
even when the tournament was not publicly shared:

- `GET /tournaments/{tournament_id}` (partially protected by an explicit
post-dependency check)
- `GET /tournaments/{tournament_id}/courts`
- `GET /tournaments/{tournament_id}/teams`
- `GET /tournaments/{tournament_id}/rankings`
- `GET /tournaments/{tournament_id}/stages`

### Changes

- **`backend/bracket/routes/auth.py`**: Added `not
tournaments_fetched[0].dashboard_public` to the check in
`user_authenticated_or_public_dashboard`. Unauthenticated requests to a
tournament with `dashboard_public=False` now receive a 401 response.
- **`backend/bracket/routes/tournaments.py`**: Removed the now-redundant
explicit `dashboard_public` check in `get_tournament` (the dependency
handles it now).
- **`backend/tests/integration_tests/api/tournaments_test.py`**: Added
`test_non_public_tournament_endpoints_blocked_for_unauthenticated_users`
to assert that all affected endpoints return 401 for unauthenticated
requests when `dashboard_public=False`.

Note: `user_authenticated_or_public_dashboard_by_endpoint_name` (used
for the `GET /tournaments?endpoint_name=` route) was not affected — it
delegates to `sql_get_tournament_by_endpoint_name` which already
includes `AND dashboard_public IS TRUE` in its SQL query.

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: evroon <11857441+evroon@users.noreply.github.com>
 2026-04-14 10:38:16 +02:00
Erik Vroon
c8cab54286 Add pyrefly type checking (#1434) 
Prefly is much faster than mypy and a bit stricter
Mypy will also still be checked on CI for now
 2025-11-14 10:47:23 +00:00
dependabot[bot]
cc41d79759 Bump uvicorn from 0.35.0 to 0.38.0 in /backend (#1428) 
Bumps [uvicorn](https://github.com/Kludex/uvicorn) from 0.35.0 to
0.38.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/Kludex/uvicorn/releases">uvicorn's
releases</a>.</em></p>
<blockquote>
<h2>Version 0.38.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Support Python 3.14 by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/uvicorn/pull/2723">Kludex/uvicorn#2723</a></li>
</ul>
<hr />
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/NGANAMODEIJunior"><code>@​NGANAMODEIJunior</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/uvicorn/pull/2713">Kludex/uvicorn#2713</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/uvicorn/compare/0.37.0...0.38.0">https://github.com/Kludex/uvicorn/compare/0.37.0...0.38.0</a></p>
<h2>Version 0.37.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Add <code>--timeout-worker-healthcheck</code> setting by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/uvicorn/pull/2711">Kludex/uvicorn#2711</a></li>
<li>Add <code>os.PathLike[str]</code> type to <code>ssl_ca_certs</code>
by <a href="https://github.com/rnv812"><code>@​rnv812</code></a> in <a
href="https://redirect.github.com/Kludex/uvicorn/pull/2676">Kludex/uvicorn#2676</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/LincolnPuzey"><code>@​LincolnPuzey</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/uvicorn/pull/2669">Kludex/uvicorn#2669</a></li>
<li><a href="https://github.com/rnv812"><code>@​rnv812</code></a> made
their first contribution in <a
href="https://redirect.github.com/Kludex/uvicorn/pull/2676">Kludex/uvicorn#2676</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/uvicorn/compare/0.36.1...0.37.0">https://github.com/Kludex/uvicorn/compare/0.36.1...0.37.0</a></p>
<h2>Version 0.36.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Raise an exception when calling removed
<code>Config.setup_event_loop()</code> by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/uvicorn/pull/2709">Kludex/uvicorn#2709</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/uvicorn/compare/0.36.0...0.36.1">https://github.com/Kludex/uvicorn/compare/0.36.0...0.36.1</a></p>
<h2>Version 0.36.0</h2>
<h2>Added</h2>
<ul>
<li>Support custom IOLOOPs by <a
href="https://github.com/gnir-work"><code>@​gnir-work</code></a> in <a
href="https://redirect.github.com/Kludex/uvicorn/pull/2435">Kludex/uvicorn#2435</a></li>
<li>Allow to provide importable string in <code>--http</code>,
<code>--ws</code> and <code>--loop</code> by <a
href="https://github.com/Kludex"><code>@​Kludex</code></a> in <a
href="https://redirect.github.com/Kludex/uvicorn/pull/2658">Kludex/uvicorn#2658</a></li>
</ul>
<hr />
<h3>New Contributors</h3>
<ul>
<li><a href="https://github.com/gnir-work"><code>@​gnir-work</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/uvicorn/pull/2435">Kludex/uvicorn#2435</a></li>
<li><a
href="https://github.com/musicinmybrain"><code>@​musicinmybrain</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/uvicorn/pull/2659">Kludex/uvicorn#2659</a></li>
<li><a
href="https://github.com/secrett2633"><code>@​secrett2633</code></a>
made their first contribution in <a
href="https://redirect.github.com/Kludex/uvicorn/pull/2684">Kludex/uvicorn#2684</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/Kludex/uvicorn/compare/0.35.0...0.36.0">https://github.com/Kludex/uvicorn/compare/0.35.0...0.36.0</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md">uvicorn's
changelog</a>.</em></p>
<blockquote>
<h2>0.38.0 (October 18, 2025)</h2>
<h3>Added</h3>
<ul>
<li>Support Python 3.14 (<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2723">#2723</a>)</li>
</ul>
<h2>0.37.0 (September 23, 2025)</h2>
<h3>Added</h3>
<ul>
<li>Add <code>--timeout-worker-healthcheck</code> option (<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2711">#2711</a>)</li>
<li>Add <code>os.PathLike[str]</code> type to <code>ssl_ca_certs</code>
(<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2676">#2676</a>)</li>
</ul>
<h2>0.36.1 (September 23, 2025)</h2>
<h3>Fixed</h3>
<ul>
<li>Raise an exception when calling removed
<code>Config.setup_event_loop()</code> (<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2709">#2709</a>)</li>
</ul>
<h2>0.36.0 (September 20, 2025)</h2>
<h3>Added</h3>
<ul>
<li>Support custom IOLOOPs (<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2435">#2435</a>)</li>
<li>Allow to provide importable string in <code>--http</code>,
<code>--ws</code> and <code>--loop</code> (<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2658">#2658</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="3850ad6520"><code>3850ad6</code></a>
Version 0.38.0 (<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2733">#2733</a>)</li>
<li><a
href="9b3f17a549"><code>9b3f17a</code></a>
Support Python 3.14 (<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2723">#2723</a>)</li>
<li><a
href="ce79f95d06"><code>ce79f95</code></a>
Revert &quot;Add Marcelo Trylesinski to the license (<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2699">#2699</a>)&quot;
(<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2730">#2730</a>)</li>
<li><a
href="dbf8797b47"><code>dbf8797</code></a>
docs: add social icons (<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2728">#2728</a>)</li>
<li><a
href="58f28be98e"><code>58f28be</code></a>
Add section about event loop (<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2725">#2725</a>)</li>
<li><a
href="93d9510749"><code>93d9510</code></a>
Bump docs dependencies (<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2724">#2724</a>)</li>
<li><a
href="9b1c6c45ed"><code>9b1c6c4</code></a>
Move Marcelo Trylesinski to maintainers in <code>pyproject.toml</code>
(<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2719">#2719</a>)</li>
<li><a
href="57a61d86f2"><code>57a61d8</code></a>
Add discord to README (<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2718">#2718</a>)</li>
<li><a
href="7ef5f9f5e7"><code>7ef5f9f</code></a>
chore(deps): bump astral-sh/setup-uv from 6.7.0 to 6.8.0 (<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2717">#2717</a>)</li>
<li><a
href="6d26d88970"><code>6d26d88</code></a>
Update pyproject.toml for PEP639 compliance (<a
href="https://redirect.github.com/Kludex/uvicorn/issues/2713">#2713</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/Kludex/uvicorn/compare/0.35.0...0.38.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=uvicorn&package-manager=uv&previous-version=0.35.0&new-version=0.38.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Erik Vroon <erik.vroon@channable.com>
 2025-11-14 08:57:18 +00:00
Erik Vroon
3b6cd73d65 Add more integration tests (#1126) 2025-02-16 16:26:30 +01:00
Erik Vroon
4450f76e4e Filter empty player names out of multi team creation (#1122) 2025-02-15 14:00:41 +00:00
Erik Vroon
2fa8c08da3 Add teams with players (#1118) 
fixes https://github.com/evroon/bracket/issues/978
 2025-02-12 11:27:14 +00:00
Erik Vroon
489fc2ba64 Feature: archived tournaments (#1112) 
fixes https://github.com/evroon/bracket/issues/690
 2025-02-09 18:00:52 +01:00
Erik Vroon
558c3163d1 Update pytest asyncio to 0.25.3 (#1110) 
Updates the requirements on
[pytest-asyncio](https://github.com/pytest-dev/pytest-asyncio) to permit
the latest version.
- [Release notes](https://github.com/pytest-dev/pytest-asyncio/releases)
- [Commits](pytest-dev/pytest-asyncio@v0.21.2...v0.25.3)
 2025-02-08 11:12:32 +00:00
Erik Vroon
cdde8c1fd3 Swiss scheduling improvements (#1019) 2024-11-21 19:59:02 +01:00
Erik Vroon
9f123babc2 Update elimination matches when updating rankings (#1002) 2024-11-08 17:51:41 +01:00
Erik Vroon
6aa2c51f89 Assign teams to subsequent elimination rounds (#1001) 
fixes https://github.com/evroon/bracket/issues/998
 2024-11-08 17:34:12 +01:00
Erik Vroon
932e5a245d Show updates to stage item inputs when going to next stage (#966) 2024-11-06 14:52:42 +01:00
Erik Vroon
d32c36080e Allow changing inputs after creating stage item (#962) 2024-10-26 19:34:08 +02:00
Erik Vroon
52890fadb2 Use stage item inputs instead of teams (#909) 
A match should contain two stage item inputs that oppose each other,
instead of two teams. This simplifies a lot and is more logical.
 2024-10-21 18:44:25 +02:00
Erik Vroon
388afa585a Make primary key typing stricter (#904) 2024-09-10 20:32:59 +02:00
Erik Vroon
b3073c0fa6 Fix paths of swiss endpoints (#903) 2024-09-10 19:21:24 +02:00
Erik Vroon
d6449e8d05 Customize rankings (#797) 
Allows you to add rankings that specify how the ranking per stage item
is calculated.
Points are now stored per stage item input.
 2024-09-07 12:03:16 +02:00
robigan
208936fefc Fix backend to recalculate start time on match update (#587) 2024-09-01 19:13:07 +02:00
robigan
e3fa10e2a9 Team logos (#529) 2024-02-28 08:41:19 +01:00
Erik Vroon
d016e50537 Check foreign keys belong to tournament (#516) 
Handles a security vulnerability where it's possible to link to columns
of other tournaments, such as add players from another tournament to a
team
 2024-02-23 21:11:13 +01:00
Erik Vroon
880d212ce9 Use uuids for logos (#488) 
Otherwise uploads can replace current files with the same name.
Also fixes and adds more tests for logo uploads.
 2024-02-18 11:24:35 +01:00
Erik Vroon
0c0d99f8fe Write files async (non-blocking) (#485) 
Also remove unused files and reload image in frontend when uploading a
new image.
 2024-02-17 18:20:01 +01:00
Erik Vroon
f4c8bcdd65 Improve ui when there is no content (#473) 
Adds more skeletons, fixes user page, fixes bug in modal for stage item
creation, etc.
 2024-02-13 18:57:41 +01:00
Erik Vroon
f834fab2de Add pagination (#472) 
Adds pagination (backend and frontend) to teams and players GET
endpoints
 2024-02-12 19:08:50 +01:00
Erik Vroon
9479c92c97 Increase code coverage (#466) 
Remove unused code and add some tests
Also fix detection of running pytest
 2024-02-10 20:59:36 +01:00
Erik Vroon
14728a62bb Make dashboard endpoint unique (#454) 2024-02-10 16:15:27 +01:00
Erik Vroon
b42fce38ab Fix demo account deletion (#450) 
Fixes error due to `._mapping` invalid return type
 2024-02-09 16:52:14 +01:00
Erik Vroon
61611066cd Pydantic v2 migration (#252) 
Upgrade Pydantic to V2.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-02-09 11:51:14 +01:00
Erik Vroon
31818c374e Fix db initialisation (#427) 
fixes https://github.com/evroon/bracket/issues/426
 2024-02-04 11:52:18 +01:00
Erik Vroon
469316efd4 Use Ruff format instead of Black (#420) 2024-02-03 14:29:33 +01:00
Erik Vroon
5659cd7344 Add demo functionality (#413) 
Lets users create a temporary demo account to test the tool
 2024-02-03 14:18:57 +01:00
Erik Vroon
b2a2dd1ea1 Implement hcaptcha (#410) 2024-01-17 16:31:38 +01:00
Erik Vroon
b21840ee2d Add Prometheus metrics (#372) 2023-12-03 16:45:35 +01:00
Erik Vroon
ac53331590 Add statistics columns to teams (#365) 2023-12-02 12:12:53 +01:00
Erik Vroon
4b3dfb9b20 Implement custom time per match (#337) 2023-11-21 21:11:25 +01:00
Erik Vroon
4e616d8d97 Multi users and teams creation (#342) 
fixes https://github.com/evroon/bracket/issues/292
 2023-11-21 20:07:35 +01:00
Erik Vroon
00cac360eb Improve swiss scheduling (#336) 2023-11-19 11:54:08 +01:00
Erik Vroon
0698c9f831 Test activate next stage (#331) 2023-11-11 13:57:57 +01:00
Erik Vroon
91d40b8e91 Add tests for scheduling logic (#329) 2023-11-11 12:57:06 +01:00
Erik Vroon
664b13b0db Fix swiss scheduling (#328) 2023-11-11 10:59:52 +01:00
Erik Vroon
3dceda218a Time scheduling (#315) 2023-11-07 19:51:46 +01:00
Erik Vroon
145d5787e1 Implement scheduling for elimination stage items (#314) 2023-11-05 15:22:24 +01:00
Erik Vroon
ab86f7ea77 Add schedule builder (#267) 2023-11-02 20:34:49 +01:00
Erik Vroon
894f99c34a Extend dashboard pages (#289) 2023-10-11 19:15:16 +02:00
Erik Vroon
f4d7aae2ea Add ruff check (#294) 2023-10-07 17:02:05 +02:00
Erik Vroon
6c741fd821 Dashboard endpoint (#285) 2023-10-01 11:19:56 +02:00
Erik Vroon
d1484a0bb3 Add behavior to go to next stage (#265) 2023-09-14 11:51:05 +02:00
Erik Vroon
aaca527647 Add courts functionality (#256) 2023-09-12 13:33:20 +02:00
Erik Vroon
f59c6f6965 Implement stage type specific round scheduling (#226) 2023-09-10 11:51:45 +02:00
Erik Vroon
a24766c210 Display stage name and select active stage by default (#210) 2023-05-09 21:31:27 +02:00