fix(dashboard): require auth for plugin rescan (#27340)

2026-05-24 19:45:07 +08:00
parent 5acaeba2bb
commit ee002e7fc5
2 changed files with 6 additions and 1 deletions
--- a/tests/hermes_cli/test_web_server.py
+++ b/tests/hermes_cli/test_web_server.py
@@ -327,6 +327,12 @@ class TestWebServerEndpoints:
        # Public endpoints should still work
        resp = unauth_client.get("/api/status")
        assert resp.status_code == 200
+        resp = unauth_client.get("/api/dashboard/plugins")
+        assert resp.status_code == 200
+        resp = unauth_client.get("/api/dashboard/plugins/rescan")
+        assert resp.status_code == 401
+        resp = self.client.get("/api/dashboard/plugins/rescan")
+        assert resp.status_code == 200

    def test_path_traversal_blocked(self):
        """Verify URL-encoded path traversal is blocked."""