You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
MODEL_CHANGE_PASSWORD in app/config.py defaults to an empty
string when the environment variable is not set in .env.
The /change-model endpoint in app/routes/api.py checks:
ifpassword!=settings.MODEL_CHANGE_PASSWORD:
raiseHTTPException(status_code=403, detail="Invalid model change password")
This means on a fresh install without a .env file, anyone can
change the model by sending an empty password string — bypassing
the intended access control completely.
Fix
Changed the default value from "" to "changeme" so the
endpoint is protected even without explicit configuration.
Users should still set a strong MODEL_CHANGE_PASSWORD in
their .env file for production use.
Testing
Verified that the /change-model endpoint correctly rejects
requests with wrong passwords returning "Invalid model change password".
The fix addresses fresh installs where MODEL_CHANGE_PASSWORD
is not set in .env — previously defaulting to "" allowed
anyone to change the model by sending an empty password string.
MODEL_CHANGE_PASSWORD in app/config.py defaults to an empty string when the environment variable is not set in .env.
The /change-model endpoint in app/routes/api.py checks:
ifpassword!=settings.MODEL_CHANGE_PASSWORD:
raiseHTTPException(status_code=403, detail="Invalid model change password")
This means on a fresh install without a .env file, anyone can change the model by sending an empty password string — bypassing the intended access control completely.
Fix
Changed the default value from "" to "changeme" so the endpoint is protected even without explicit configuration.
Users should still set a strong MODEL_CHANGE_PASSWORD in their .env file for production use.
Testing
Verified that the /change-model endpoint correctly rejects requests with wrong passwords returning "Invalid model change password".
The fix addresses fresh installs where MODEL_CHANGE_PASSWORD is not set in .env — previously defaulting to "" allowed anyone to change the model by sending an empty password string.
Problem
MODEL_CHANGE_PASSWORD in app/config.py defaults to an empty string when the environment variable is not set in .env.
The /change-model endpoint in app/routes/api.py checks:
ifpassword!=settings.MODEL_CHANGE_PASSWORD:
raiseHTTPException(status_code=403, detail="Invalid model change password")
This means on a fresh install without a .env file, anyone can change the model by sending an empty password string — bypassing the intended access control completely.
Fix
Changed the default value from "" to "changeme" so the endpoint is protected even without explicit configuration.
Users should still set a strong MODEL_CHANGE_PASSWORD in their .env file for production use.
Testing
Verified that the /change-model endpoint correctly rejects requests with wrong passwords returning "Invalid model change password".
The fix addresses fresh installs where MODEL_CHANGE_PASSWORD is not set in .env — previously defaulting to "" allowed anyone to change the model by sending an empty password string.
Note: This PR was developed with AI assistance (Claude). As per Sugar Labs contributing guidelines, I'm disclosing this. The AI helped me structure the fix, but I verified, and tested each change myself.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
MODEL_CHANGE_PASSWORDinapp/config.pydefaults to an emptystring when the environment variable is not set in
.env.The
/change-modelendpoint inapp/routes/api.pychecks:This means on a fresh install without a
.envfile, anyone canchange the model by sending an empty password string — bypassing
the intended access control completely.
Fix
Changed the default value from
""to"changeme"so theendpoint is protected even without explicit configuration.
Users should still set a strong
MODEL_CHANGE_PASSWORDintheir
.envfile for production use.Testing
Verified that the
/change-modelendpoint correctly rejectsrequests with wrong passwords returning
"Invalid model change password".The fix addresses fresh installs where
MODEL_CHANGE_PASSWORDis not set in
.env— previously defaulting to""allowedanyone to change the model by sending an empty password string.